ISC Open Source Projects issueshttps://gitlab.isc.org/groups/isc-projects/-/issues2020-09-23T12:07:48Zhttps://gitlab.isc.org/isc-projects/kea/-/issues/1427bump up library versions and HOOKS_VERSION if needed (kea 1.9.0 release)2020-09-23T12:07:48ZMichal Nowikowskibump up library versions and HOOKS_VERSION if needed (kea 1.9.0 release)if not needed, please close this issueif not needed, please close this issuekea1.9.0https://gitlab.isc.org/isc-projects/kea/-/issues/14261.9.0 release changes2021-05-04T10:55:36ZMichal Nowikowski1.9.0 release changeskea1.9.0Michal NowikowskiMichal Nowikowskihttps://gitlab.isc.org/isc-projects/bind9/-/issues/2182statschannel python test leave no forensic traces to work out what went wrong.2023-11-02T17:00:03ZMark Andrewsstatschannel python test leave no forensic traces to work out what went wrong.Job [#1177271](https://gitlab.isc.org/isc-projects/bind9/-/jobs/1177271) failed for 7a822740e09fd56900383d35889892827dcf94c6:Job [#1177271](https://gitlab.isc.org/isc-projects/bind9/-/jobs/1177271) failed for 7a822740e09fd56900383d35889892827dcf94c6:Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2181Follow-up from "Draft: Resolve "ThreadSanitizer: lock-order-inversion (potent...2021-03-04T14:18:10ZMark AndrewsFollow-up from "Draft: Resolve "ThreadSanitizer: lock-order-inversion (potential deadlock) in pthread_mutex_lock""The following discussion from !4150 should be addressed:
- [ ] @ondrej started a [discussion](https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/4150#note_164756): (+7 comments)
> Since this is the destroy code protected b...The following discussion from !4150 should be addressed:
- [ ] @ondrej started a [discussion](https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/4150#note_164756): (+7 comments)
> Since this is the destroy code protected by the reference counter, why do we need the lock at all here?https://gitlab.isc.org/isc-projects/bind9/-/issues/2180ThreadSanitizer: data race bin/named/server.c:9678:25 in view_loaded2020-09-30T14:49:25ZOndřej SurýThreadSanitizer: data race bin/named/server.c:9678:25 in view_loaded```
WARNING: ThreadSanitizer: data race
Write of size 4 at 0x000000000001 by thread T1:
#0 view_loaded bin/named/server.c:9678:25
#1 call_loaddone lib/dns/zt.c:308:3
#2 doneloading lib/dns/zt.c:582:3
#3 zone_asyncload l...```
WARNING: ThreadSanitizer: data race
Write of size 4 at 0x000000000001 by thread T1:
#0 view_loaded bin/named/server.c:9678:25
#1 call_loaddone lib/dns/zt.c:308:3
#2 doneloading lib/dns/zt.c:582:3
#3 zone_asyncload lib/dns/zone.c:2322:3
#4 dispatch lib/isc/task.c:1152:7
#5 run lib/isc/task.c:1344:2
Previous read of size 4 at 0x000000000001 by thread T2:
#0 named_server_status bin/named/server.c:11903:14
#1 named_control_docommand bin/named/control.c:272:12
#2 control_command bin/named/controlconf.c:390:17
#3 dispatch lib/isc/task.c:1152:7
#4 run lib/isc/task.c:1344:2
Location is heap block of size 409 at 0x000000000011 allocated by main thread:
#0 malloc <null>
#1 default_memalloc lib/isc/mem.c:713:8
#2 mem_get lib/isc/mem.c:622:8
#3 mem_allocateunlocked lib/isc/mem.c:1268:8
#4 isc___mem_allocate lib/isc/mem.c:1288:7
#5 isc__mem_allocate lib/isc/mem.c:2453:10
#6 isc___mem_get lib/isc/mem.c:1037:11
#7 isc__mem_get lib/isc/mem.c:2432:10
#8 named_server_create bin/named/server.c:9978:27
#9 setup bin/named/main.c:1256:2
#10 main bin/named/main.c:1523:2
Thread T1 (running) created by main thread at:
#0 pthread_create <null>
#1 isc_thread_create lib/isc/pthreads/thread.c:73:8
#2 isc_taskmgr_create lib/isc/task.c:1434:3
#3 create_managers bin/named/main.c:915:11
#4 setup bin/named/main.c:1223:11
#5 main bin/named/main.c:1523:2
Thread T2 (running) created by main thread at:
#0 pthread_create <null>
#1 isc_thread_create lib/isc/pthreads/thread.c:73:8
#2 isc_taskmgr_create lib/isc/task.c:1434:3
#3 create_managers bin/named/main.c:915:11
#4 setup bin/named/main.c:1223:11
#5 main bin/named/main.c:1523:2
SUMMARY: ThreadSanitizer: data race bin/named/server.c:9678:25 in view_loaded
```October 2020 (9.11.24, 9.11.24-S1, 9.16.8, 9.16.8-S1, 9.17.6)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/2179Investigate core dump in zero system test.2021-04-02T09:13:32ZMark AndrewsInvestigate core dump in zero system test.Job [#1174710](https://gitlab.isc.org/isc-projects/bind9/-/jobs/1174710) failed for f2c0aa1dfeec4e2b8bb03ffa11c2eddf2dcd5025:Job [#1174710](https://gitlab.isc.org/isc-projects/bind9/-/jobs/1174710) failed for f2c0aa1dfeec4e2b8bb03ffa11c2eddf2dcd5025:April 2021 (9.11.30/9.11.31, 9.11.30-S1/9.11.31-S1, 9.16.14/9.16.15, 9.16.14-S1/9.16.15-S1, 9.17.12)https://gitlab.isc.org/isc-projects/bind9/-/issues/2178dnssec-keyfromlabel ECDSAP256SHA256 error on AEP Keypers HSM2021-01-29T13:19:28ZPeter Daviesdnssec-keyfromlabel ECDSAP256SHA256 error on AEP Keypers HSM
### Summary
When attempting to generate a ECDSAP256SHA256 key pair from a AEP Keypers HSM dnssec-keyfromlabel exits with a segment fault. For core an binary see [RT #17055](https://support.isc.org/Ticket/Display.html?id=17055)
### BIN...
### Summary
When attempting to generate a ECDSAP256SHA256 key pair from a AEP Keypers HSM dnssec-keyfromlabel exits with a segment fault. For core an binary see [RT #17055](https://support.isc.org/Ticket/Display.html?id=17055)
### BIND version used
BIND 9.16.6 (Stable Release) <id:25846cf>
running on Linux x86_64 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020
built by make with '--with-openssl=/opt/openssl-versions/openssl-1.1.1g/' '--prefix=/opt/bind-versions/bind-9.16.6' '--with-pkcs11=/opt/Keyper/PKCS11Provider-versions/PKCS11Provider-5.05/pkcs11.so'
+'PKG_CONFIG_PATH=/opt/openssl-versions/openssl-1.1.1g/lib/pkgconfig'.
compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-39).
compiled with OpenSSL version: OpenSSL 1.1.1g 21 Apr 2020
linked to OpenSSL version: OpenSSL 1.1.1g 21 Apr 2020
compiled with libuv version: 1.38.0
linked to libuv version: 1.38.0
compiled with zlib version: 1.2.7
linked to zlib version: 1.2.7
threads support is enabled
default paths:
named configuration: /opt/bind-versions/bind-9.16.6/etc/named.conf
rndc configuration: /opt/bind-versions/bind-9.16.6/etc/rndc.conf
DNSSEC root key: /opt/bind-versions/bind-9.16.6/etc/bind.keys
nsupdate session key: /opt/bind-versions/bind-9.16.6/var/run/named/session.key
named PID file: /opt/bind-versions/bind-9.16.6/var/run/named/named.pid
named lock file: /opt/bind-versions/bind-9.16.6/var/run/named/named.lock
### Steps to reproduce
dnssec-keyfromlabel -E pkcs11 -a ECDSAP256SHA256 -l "token=prod.fr;object=re9166-zsk;pin-value=XXXX"
### What is the current *bug* behavior?
Segmentation fault (core dumped)
### What is the expected *correct* behavior?
Generation of key pair
### Relevant configuration files
OpenSSL 1.1.1g 21 Apr 202
OpenSSL configuration:
openssl_conf = openssl_init
[...]
[ openssl_init ]
engines = engine_section
[ engine_section ]
pkcs11 = pkcs11_section
[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /opt/bind/engines/pkcs11.so
MODULE_PATH = /opt/Keyper/PKCS11Provider-versions/PKCS11Provider-5.05/pkcs11.so
init = 0February 2021 (9.11.28, 9.11.28-S1, 9.16.12, 9.16.12-S1, 9.17.10)Matthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/2177Description of "--with-dlopen" in "./configure" output is confusing2020-10-02T08:39:49ZMichał KępieńDescription of "--with-dlopen" in "./configure" output is confusingIn ~"v9.16", the description of `--with-dlopen` is:
--with-dlopen=ARG support dynamically loadable DLZ and DYNDB drivers
In ~"v9.11", it is:
--with-dlopen=ARG support dynamically loadable DLZ drivers
The probl...In ~"v9.16", the description of `--with-dlopen` is:
--with-dlopen=ARG support dynamically loadable DLZ and DYNDB drivers
In ~"v9.11", it is:
--with-dlopen=ARG support dynamically loadable DLZ drivers
The problem is that the option controls more than that - specifically,
if it is set to `auto` (default) or `yes`, it triggers the following
[call][1]:
AC_SEARCH_LIBS([dlsym],[dl])
which means: "if the `dlsym()` function is found in libdl, append `-ldl`
to `LIBS`".
This means that `--with-dlopen` does not just control whether DLZ/dyndb
drivers will be built - it also detects whether the platform supports
`dlopen()`. In other words, if `--without-dlopen` is used, `-ldl` will
not be automatically added to `LIBS`, which means the platform will be
treated as if `dlopen()` was unavailable on it.
This has consequences when certain combinations of `./configure`
switches are used - should `--enable-native-pkcs11 --without-dlopen`
work or not?
- If `--without-dlopen` only controls building DLZ/dyndb drivers, as
claimed by `./configure`, then the above combination of switches
should work - PKCS#11 has little to do with DLZ/dyndb. Yet, such a
build breaks on PKCS#11 unit tests which *do* require `dlopen()`
support (d'oh!) but `-ldl` is not in their `LIBS`.
- If `--without-dlopen` is also meant to mean "forcibly disable
`dlopen()` support", then the above combination of switches should
be prohibited at `./configure` time as it does not make sense
(PKCS#11 is all about dynamically loading "providers" in the form of
shared objects).
In ~"v9.16", the situation only gets more convoluted because - at least
on Linux - `pkg-config --libs libuv` returns... `-luv -ldl`.
Plugins are also not mentioned in the output of `./configure` in
~"v9.16".
We need to decide whether we want to:
- revise the *description* of `--with-dlopen` in `./configure`,
keeping `configure.ac` code as it is,
- revise `configure.ac` so that detection of `dlopen()` support *in
the operating system* is decoupled from detection of the toolchain's
capabilities of *building* `dlopen()`able objects.
[1]: https://gitlab.isc.org/isc-projects/bind9/-/blob/70a80769518c652305b95d89eb5558187c5b1ea6/configure.ac#L2418October 2020 (9.11.24, 9.11.24-S1, 9.16.8, 9.16.8-S1, 9.17.6)Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/stork/-/issues/412basic UI system tests2020-10-20T10:06:53ZWlodzimierz Wencelbasic UI system testsadd basic automated UI system tests using `selenium`add basic automated UI system tests using `selenium`0.13Wlodzimierz WencelWlodzimierz Wencelhttps://gitlab.isc.org/isc-projects/stork/-/issues/411Stork cannot parse named.conf with multiple allow addresses in inet_spec2020-09-22T07:22:57ZMatthijs Mekkingmatthijs@isc.orgStork cannot parse named.conf with multiple allow addresses in inet_specFrom the mailing list:
I am testing out using Stork for BIND9 in a lab environment. I can connect to the Stork Agent running on the BIND server without any problems, but Stork never shows the DNS service as running. I have verified that...From the mailing list:
I am testing out using Stork for BIND9 in a lab environment. I can connect to the Stork Agent running on the BIND server without any problems, but Stork never shows the DNS service as running. I have verified that BIND is running.
When I check messages on the BIND server, I see the following:
```
Sep 21 14:46:22 bind_server stork-agent: #033[33mWARN#033[0m[2020-09-21 14:46:22] bind9.go:284 cannot parse BIND 9 statistics-channels clause
Sep 21 14:46:32 bind_server stork-agent: #033[33mWARN#033[0m[2020-09-21 14:46:32] bind9.go:91 cannot parse BIND 9 inet configuration: no match (controls {
```
The config syntax is valid from BIND's perspective. Does Stork have requirements above and beyond that?
Thanks!
Details:
BIND: 9.11.4
Stork: 0.11.0
Controls Clause of bind config:
```
controls {
inet 127.0.0.1 allow { localhost; };
inet * allow {localhost; 10.50.0.100; 10.50.0.105; };
};
```
Statistics Channel clause of bind config:
```
statistics-channels {
inet 10.50.0.105 port 80 allow { localhost; 10.50.0.100; 10.50.0.105; };
};
```0.12https://gitlab.isc.org/isc-projects/stork/-/issues/410stork should not use colors in logs if it is running as a service without ter...2022-02-04T09:07:57ZMichal Nowikowskistork should not use colors in logs if it is running as a service without termnalCurrently people copy/paste logs with ANSI escape codes for colors.
This should not happen.
```
Sep 21 14:46:22 bind_server stork-agent: #033[33mWARN#033[0m[2020-09-21 14:46:22] bind9.go:284 cannot parse BIND 9 statistics-c...Currently people copy/paste logs with ANSI escape codes for colors.
This should not happen.
```
Sep 21 14:46:22 bind_server stork-agent: #033[33mWARN#033[0m[2020-09-21 14:46:22] bind9.go:284 cannot parse BIND 9 statistics-channels clause
Sep 21 14:46:32 bind_server stork-agent: #033[33mWARN#033[0m[2020-09-21 14:46:32] bind9.go:91 cannot parse BIND 9 inet configuration: no match (controls {
```backloghttps://gitlab.isc.org/isc-projects/bind9/-/issues/2175Double call to pkcs_C_DestroyObject?2020-09-21T07:02:39ZMark AndrewsDouble call to pkcs_C_DestroyObject?Job [#1167823](https://gitlab.isc.org/isc-projects/bind9/-/jobs/1167823) failed for 469b4aeca03f02c2728c886bbbbaaf28e6e06ee8:Job [#1167823](https://gitlab.isc.org/isc-projects/bind9/-/jobs/1167823) failed for 469b4aeca03f02c2728c886bbbbaaf28e6e06ee8:October 2020 (9.11.24, 9.11.24-S1, 9.16.8, 9.16.8-S1, 9.17.6)https://gitlab.isc.org/isc-projects/bind9/-/issues/2174dnssec-policy behaviour for algorithm 15 keys different to algorithm 8 keys2020-10-12T08:04:48ZMichael Glanznigdnssec-policy behaviour for algorithm 15 keys different to algorithm 8 keys<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [security-officer@isc.org](security-officer@isc.org).
-->
### Summary
The new dnssec-policy seems to rollover KSKs of algorithm 15 even if no rollover is due according to the policy. Keys of algorithm 8 seem to work correctly. For KSKs and ZSKs also a lot of rollovers were generated for algorithm 15 keys after first rollout of the policy. This did not happen with algorithm 8 keys.
### BIND version used
```
BIND 9.16.7-Ubuntu (Stable Release) <id:6fd3eb7>
running on Linux x86_64 4.15.0-117-generic #118-Ubuntu SMP Fri Sep 4 20:02:41 UTC 2020
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--libexecdir=/usr/lib/x86_64-linux-gnu' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-libjson-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-HlagpL/bind9-9.16.7=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 7.5.0
compiled with OpenSSL version: OpenSSL 1.1.1 11 Sep 2018
linked to OpenSSL version: OpenSSL 1.1.1 11 Sep 2018
compiled with libuv version: 1.38.1
linked to libuv version: 1.38.1
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
compiled with json-c version: 0.12.1
linked to json-c version: 0.12.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.3.2
compiled with protobuf-c version: 1.3.1
linked to protobuf-c version: 1.3.1
threads support is enabled
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
DNSSEC root key: /etc/bind/bind.keys
nsupdate session key: //run/named/session.key
named PID file: //run/named/named.pid
named lock file: //run/named/named.lock
geoip-directory: /usr/share/GeoIP
```
### Steps to reproduce
Have two DNSSEC signed zones which are currently managed with `auto-dnssec maintain` and `inline-signing yes`. Both zones are used in a split-horizon setup and use a internal and external view. Both views use DNSSEC. One zone uses algorithm 8 for ZSK and KSK while the other zone uses algorithm 15. Keys are managed manually and have no expiry dates set. Both keys are 6 months old. Change the zones to use a dnssec-policy instead where according to the policy a ZSK rollover would be due. For policies I used see [named.conf.policy](/uploads/e280b5c6a732ebb8e87c61efbda44200/named.conf.policy).
### What is the current *bug* behavior?
The above linked policies limit the KSK validity to one year and the ZSK to 3 months. Hence the ZSKs are due for rollover, but the KSKs aren't. This works well for algorithm 8 keys. The KSK stays untouched and a new ZSK is created while the old one is retired.
State files of keys:
```
; This is the state of key 10740, for REDACTED.
Algorithm: 8
Length: 1024
Lifetime: 8035200
Predecessor: 54528
KSK: no
ZSK: yes
Generated: 20200920175000 (Sun Sep 20 17:50:00 2020)
Published: 20200920175000 (Sun Sep 20 17:50:00 2020)
Active: 20200920185500 (Sun Sep 20 18:55:00 2020)
Retired: 20201222185500 (Tue Dec 22 18:55:00 2020)
Removed: 20210101200000 (Fri Jan 1 20:00:00 2021)
DNSKEYChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
ZRRSIGChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: rumoured
ZRRSIGState: rumoured
GoalState: omnipresent
; This is the state of key 39460, for REDACTED.
Algorithm: 8
Length: 2048
Lifetime: 31536000
KSK: yes
ZSK: no
Generated: 20200307174149 (Sat Mar 7 17:41:49 2020)
Published: 20200307174149 (Sat Mar 7 17:41:49 2020)
Active: 20200307174149 (Sat Mar 7 17:41:49 2020)
Retired: 20210307174149 (Sun Mar 7 17:41:49 2021)
Removed: 20210308214149 (Mon Mar 8 21:41:49 2021)
PublishCDS: 20200308184649 (Sun Mar 8 18:46:49 2020)
DNSKEYChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
KRRSIGChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DSChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: omnipresent
KRRSIGState: omnipresent
DSState: hidden
GoalState: omnipresent
; This is the state of key 54528, for REDACTED.
Algorithm: 8
Length: 1024
Lifetime: 8035200
Successor: 10740
KSK: no
ZSK: yes
Generated: 20200307174138 (Sat Mar 7 17:41:38 2020)
Published: 20200307184138 (Sat Mar 7 18:41:38 2020)
Active: 20200307184138 (Sat Mar 7 18:41:38 2020)
Retired: 20200608184138 (Mon Jun 8 18:41:38 2020)
Removed: 20200618194638 (Thu Jun 18 19:46:38 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
ZRRSIGChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: hidden
ZRRSIGState: unretentive
GoalState: hidden
```
However, for the algorithm 15 zone also the KSK is rolled over and a lot of transitions are generated. Again the state files:
```
; This is the state of key 1385, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 31536000
KSK: yes
ZSK: no
Generated: 20200920175500 (Sun Sep 20 17:55:00 2020)
Published: 20200920175500 (Sun Sep 20 17:55:00 2020)
Active: 20200920175500 (Sun Sep 20 17:55:00 2020)
Retired: 20200920175500 (Sun Sep 20 17:55:00 2020)
Removed: 20200921005500 (Mon Sep 21 00:55:00 2020)
PublishCDS: 20200921190000 (Mon Sep 21 19:00:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
KRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DSChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DNSKEYState: unretentive
KRRSIGState: unretentive
DSState: hidden
GoalState: hidden
; This is the state of key 10893, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 8035200
KSK: no
ZSK: yes
Generated: 20200920175500 (Sun Sep 20 17:55:00 2020)
Published: 20200920175500 (Sun Sep 20 17:55:00 2020)
Active: 20200920175500 (Sun Sep 20 17:55:00 2020)
Retired: 20200920175500 (Sun Sep 20 17:55:00 2020)
Removed: 20200930190000 (Wed Sep 30 19:00:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
ZRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DNSKEYState: unretentive
ZRRSIGState: unretentive
GoalState: hidden
; This is the state of key 14222, for REDACTED.
Algorithm: 15
Length: 256
KSK: yes
ZSK: no
Generated: 20200223141731 (Sun Feb 23 14:17:31 2020)
Published: 20200223141731 (Sun Feb 23 14:17:31 2020)
Active: 20200223141731 (Sun Feb 23 14:17:31 2020)
Retired: 20200920175000 (Sun Sep 20 17:50:00 2020)
Removed: 20200921005000 (Mon Sep 21 00:50:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
KRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DSChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: hidden
KRRSIGState: hidden
DSState: hidden
GoalState: hidden
; This is the state of key 14939, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 8035200
KSK: no
ZSK: yes
Generated: 20200920175000 (Sun Sep 20 17:50:00 2020)
Published: 20200920175000 (Sun Sep 20 17:50:00 2020)
Active: 20200920175000 (Sun Sep 20 17:50:00 2020)
Retired: 20200920175000 (Sun Sep 20 17:50:00 2020)
Removed: 20200930185500 (Wed Sep 30 18:55:00 2020)
DNSKEYChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
ZRRSIGChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: unretentive
ZRRSIGState: unretentive
GoalState: hidden
; This is the state of key 46932, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 8035200
KSK: no
ZSK: yes
Generated: 20200920175000 (Sun Sep 20 17:50:00 2020)
Published: 20200920175000 (Sun Sep 20 17:50:00 2020)
Active: 20200920175000 (Sun Sep 20 17:50:00 2020)
Retired: 20200920175500 (Sun Sep 20 17:55:00 2020)
Removed: 20200930190000 (Wed Sep 30 19:00:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
ZRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DNSKEYState: unretentive
ZRRSIGState: unretentive
GoalState: hidden
; This is the state of key 47719, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 31536000
KSK: yes
ZSK: no
Generated: 20200920175500 (Sun Sep 20 17:55:00 2020)
Published: 20200920175500 (Sun Sep 20 17:55:00 2020)
Active: 20200920175500 (Sun Sep 20 17:55:00 2020)
Retired: 20210920175500 (Mon Sep 20 17:55:00 2021)
Removed: 20210921005500 (Tue Sep 21 00:55:00 2021)
PublishCDS: 20200921190000 (Mon Sep 21 19:00:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
KRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DSChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DNSKEYState: rumoured
KRRSIGState: rumoured
DSState: hidden
GoalState: omnipresent
; This is the state of key 58697, for REDACTED.
Algorithm: 15
Length: 256
Length: 256
Lifetime: 8035200
KSK: no
ZSK: yes
Generated: 20200920175500 (Sun Sep 20 17:55:00 2020)
Published: 20200920175500 (Sun Sep 20 17:55:00 2020)
Active: 20200920175500 (Sun Sep 20 17:55:00 2020)
Retired: 20201222175500 (Tue Dec 22 17:55:00 2020)
Removed: 20210101190000 (Fri Jan 1 19:00:00 2021)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
ZRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DNSKEYState: rumoured
ZRRSIGState: rumoured
GoalState: omnipresent
; This is the state of key 59076, for REDACTED.
Algorithm: 15
Length: 256
KSK: no
ZSK: yes
Generated: 20200223141612 (Sun Feb 23 14:16:12 2020)
Published: 20200223151612 (Sun Feb 23 15:16:12 2020)
Active: 20200223151612 (Sun Feb 23 15:16:12 2020)
Retired: 20200920175000 (Sun Sep 20 17:50:00 2020)
Removed: 20200930185500 (Wed Sep 30 18:55:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
ZRRSIGChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: hidden
ZRRSIGState: unretentive
GoalState: hidden
; This is the state of key 62357, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 31536000
KSK: yes
ZSK: no
Generated: 20200920175000 (Sun Sep 20 17:50:00 2020)
Published: 20200920175000 (Sun Sep 20 17:50:00 2020)
Active: 20200920175000 (Sun Sep 20 17:50:00 2020)
Retired: 20200920175500 (Sun Sep 20 17:55:00 2020)
Removed: 20200921005500 (Mon Sep 21 00:55:00 2020)
PublishCDS: 20200921185500 (Mon Sep 21 18:55:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
KRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DSChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: unretentive
KRRSIGState: unretentive
DSState: hidden
GoalState: hidden
; This is the state of key 63427, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 31536000
KSK: yes
ZSK: no
Generated: 20200920175000 (Sun Sep 20 17:50:00 2020)
Published: 20200920175000 (Sun Sep 20 17:50:00 2020)
Active: 20200920175000 (Sun Sep 20 17:50:00 2020)
Retired: 20200920175000 (Sun Sep 20 17:50:00 2020)
Removed: 20200921005000 (Mon Sep 21 00:50:00 2020)
PublishCDS: 20200921185500 (Mon Sep 21 18:55:00 2020)
DNSKEYChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
KRRSIGChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DSChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: unretentive
KRRSIGState: unretentive
DSState: hidden
GoalState: hidden
```
### What is the expected *correct* behavior?
Algorithm 15 keys should behave in the same way as algorithm 8 keys. They should not rollover the KSK if not due and should not generate so many transitions.
### Relevant configuration files
See attached policy configuration.
### Relevant logs and/or screenshots
The DNSSEC portion of the log is attached in [dnssec.log](/uploads/a45dd08418ffa8f103f9c18152c6a5a3/dnssec.log). On my setup I have 4 zones. Two have keys with algorithm 8 and two have keys with algorithm 15. In reality those are domains with TLDs .at (15), .eu (15), .com (8), .de (8). All zones have an internal and an external view. I redacted the real domain names and named them `zone-algo-15-01/02` and `zone-algo-8-01/02` respectively.
### Additional question
Bind told me that `option 'parent-registration-delay' is obsolete and should be removed`. Why is that because I found that a useful option. In this case here I had to quickly update the DS at the registries since KSKs were rolled over. Is there a replacement or how is the need for manual intervention here handled?https://gitlab.isc.org/isc-projects/bind9/-/issues/2173dnssec-policy behaviour for algorithm 15 keys different to algorithm 8 keys2020-10-12T08:08:05ZMichael Glanznigdnssec-policy behaviour for algorithm 15 keys different to algorithm 8 keys<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [security-officer@isc.org](security-officer@isc.org).
-->
### Summary
The new dnssec-policy seems to rollover KSKs of algorithm 15 even if no rollover is due according to the policy. Keys of algorithm 8 seem to work correctly. For KSKs and ZSKs also a lot of rollovers were generated for algorithm 15 keys after first rollout of the policy. This did not happen with algorithm 8 keys.
### BIND version used
```
BIND 9.16.7-Ubuntu (Stable Release) <id:6fd3eb7>
running on Linux x86_64 4.15.0-117-generic #118-Ubuntu SMP Fri Sep 4 20:02:41 UTC 2020
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--libexecdir=/usr/lib/x86_64-linux-gnu' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-libjson-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-HlagpL/bind9-9.16.7=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 7.5.0
compiled with OpenSSL version: OpenSSL 1.1.1 11 Sep 2018
linked to OpenSSL version: OpenSSL 1.1.1 11 Sep 2018
compiled with libuv version: 1.38.1
linked to libuv version: 1.38.1
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
compiled with json-c version: 0.12.1
linked to json-c version: 0.12.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.3.2
compiled with protobuf-c version: 1.3.1
linked to protobuf-c version: 1.3.1
threads support is enabled
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
DNSSEC root key: /etc/bind/bind.keys
nsupdate session key: //run/named/session.key
named PID file: //run/named/named.pid
named lock file: //run/named/named.lock
geoip-directory: /usr/share/GeoIP
```
### Steps to reproduce
Have two DNSSEC signed zones which are currently managed with `auto-dnssec maintain` and `inline-signing yes`. Both zones are used in a split-horizon setup and use a internal and external view. Both views use DNSSEC. One zone uses algorithm 8 for ZSK and KSK while the other zone uses algorithm 15. Keys are managed manually and have no expiry dates set. Both keys are 6 months old. Change the zones to use a dnssec-policy instead where according to the policy a ZSK rollover would be due. For policies I used see [named.conf.policy](/uploads/e280b5c6a732ebb8e87c61efbda44200/named.conf.policy).
### What is the current *bug* behavior?
The above linked policies limit the KSK validity to one year and the ZSK to 3 months. Hence the ZSKs are due for rollover, but the KSKs aren't. This works well for algorithm 8 keys. The KSK stays untouched and a new ZSK is created while the old one is retired.
State files of keys:
```
; This is the state of key 10740, for REDACTED.
Algorithm: 8
Length: 1024
Lifetime: 8035200
Predecessor: 54528
KSK: no
ZSK: yes
Generated: 20200920175000 (Sun Sep 20 17:50:00 2020)
Published: 20200920175000 (Sun Sep 20 17:50:00 2020)
Active: 20200920185500 (Sun Sep 20 18:55:00 2020)
Retired: 20201222185500 (Tue Dec 22 18:55:00 2020)
Removed: 20210101200000 (Fri Jan 1 20:00:00 2021)
DNSKEYChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
ZRRSIGChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: rumoured
ZRRSIGState: rumoured
GoalState: omnipresent
; This is the state of key 39460, for REDACTED.
Algorithm: 8
Length: 2048
Lifetime: 31536000
KSK: yes
ZSK: no
Generated: 20200307174149 (Sat Mar 7 17:41:49 2020)
Published: 20200307174149 (Sat Mar 7 17:41:49 2020)
Active: 20200307174149 (Sat Mar 7 17:41:49 2020)
Retired: 20210307174149 (Sun Mar 7 17:41:49 2021)
Removed: 20210308214149 (Mon Mar 8 21:41:49 2021)
PublishCDS: 20200308184649 (Sun Mar 8 18:46:49 2020)
DNSKEYChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
KRRSIGChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DSChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: omnipresent
KRRSIGState: omnipresent
DSState: hidden
GoalState: omnipresent
; This is the state of key 54528, for REDACTED.
Algorithm: 8
Length: 1024
Lifetime: 8035200
Successor: 10740
KSK: no
ZSK: yes
Generated: 20200307174138 (Sat Mar 7 17:41:38 2020)
Published: 20200307184138 (Sat Mar 7 18:41:38 2020)
Active: 20200307184138 (Sat Mar 7 18:41:38 2020)
Retired: 20200608184138 (Mon Jun 8 18:41:38 2020)
Removed: 20200618194638 (Thu Jun 18 19:46:38 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
ZRRSIGChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: hidden
ZRRSIGState: unretentive
GoalState: hidden
```
However, for the algorithm 15 zone also the KSK is rolled over and a lot of transitions are generated. Again the state files:
```
; This is the state of key 1385, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 31536000
KSK: yes
ZSK: no
Generated: 20200920175500 (Sun Sep 20 17:55:00 2020)
Published: 20200920175500 (Sun Sep 20 17:55:00 2020)
Active: 20200920175500 (Sun Sep 20 17:55:00 2020)
Retired: 20200920175500 (Sun Sep 20 17:55:00 2020)
Removed: 20200921005500 (Mon Sep 21 00:55:00 2020)
PublishCDS: 20200921190000 (Mon Sep 21 19:00:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
KRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DSChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DNSKEYState: unretentive
KRRSIGState: unretentive
DSState: hidden
GoalState: hidden
; This is the state of key 10893, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 8035200
KSK: no
ZSK: yes
Generated: 20200920175500 (Sun Sep 20 17:55:00 2020)
Published: 20200920175500 (Sun Sep 20 17:55:00 2020)
Active: 20200920175500 (Sun Sep 20 17:55:00 2020)
Retired: 20200920175500 (Sun Sep 20 17:55:00 2020)
Removed: 20200930190000 (Wed Sep 30 19:00:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
ZRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DNSKEYState: unretentive
ZRRSIGState: unretentive
GoalState: hidden
; This is the state of key 14222, for REDACTED.
Algorithm: 15
Length: 256
KSK: yes
ZSK: no
Generated: 20200223141731 (Sun Feb 23 14:17:31 2020)
Published: 20200223141731 (Sun Feb 23 14:17:31 2020)
Active: 20200223141731 (Sun Feb 23 14:17:31 2020)
Retired: 20200920175000 (Sun Sep 20 17:50:00 2020)
Removed: 20200921005000 (Mon Sep 21 00:50:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
KRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DSChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: hidden
KRRSIGState: hidden
DSState: hidden
GoalState: hidden
; This is the state of key 14939, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 8035200
KSK: no
ZSK: yes
Generated: 20200920175000 (Sun Sep 20 17:50:00 2020)
Published: 20200920175000 (Sun Sep 20 17:50:00 2020)
Active: 20200920175000 (Sun Sep 20 17:50:00 2020)
Retired: 20200920175000 (Sun Sep 20 17:50:00 2020)
Removed: 20200930185500 (Wed Sep 30 18:55:00 2020)
DNSKEYChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
ZRRSIGChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: unretentive
ZRRSIGState: unretentive
GoalState: hidden
; This is the state of key 46932, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 8035200
KSK: no
ZSK: yes
Generated: 20200920175000 (Sun Sep 20 17:50:00 2020)
Published: 20200920175000 (Sun Sep 20 17:50:00 2020)
Active: 20200920175000 (Sun Sep 20 17:50:00 2020)
Retired: 20200920175500 (Sun Sep 20 17:55:00 2020)
Removed: 20200930190000 (Wed Sep 30 19:00:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
ZRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DNSKEYState: unretentive
ZRRSIGState: unretentive
GoalState: hidden
; This is the state of key 47719, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 31536000
KSK: yes
ZSK: no
Generated: 20200920175500 (Sun Sep 20 17:55:00 2020)
Published: 20200920175500 (Sun Sep 20 17:55:00 2020)
Active: 20200920175500 (Sun Sep 20 17:55:00 2020)
Retired: 20210920175500 (Mon Sep 20 17:55:00 2021)
Removed: 20210921005500 (Tue Sep 21 00:55:00 2021)
PublishCDS: 20200921190000 (Mon Sep 21 19:00:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
KRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DSChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DNSKEYState: rumoured
KRRSIGState: rumoured
DSState: hidden
GoalState: omnipresent
; This is the state of key 58697, for REDACTED.
Algorithm: 15
Length: 256
Length: 256
Lifetime: 8035200
KSK: no
ZSK: yes
Generated: 20200920175500 (Sun Sep 20 17:55:00 2020)
Published: 20200920175500 (Sun Sep 20 17:55:00 2020)
Active: 20200920175500 (Sun Sep 20 17:55:00 2020)
Retired: 20201222175500 (Tue Dec 22 17:55:00 2020)
Removed: 20210101190000 (Fri Jan 1 19:00:00 2021)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
ZRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DNSKEYState: rumoured
ZRRSIGState: rumoured
GoalState: omnipresent
; This is the state of key 59076, for REDACTED.
Algorithm: 15
Length: 256
KSK: no
ZSK: yes
Generated: 20200223141612 (Sun Feb 23 14:16:12 2020)
Published: 20200223151612 (Sun Feb 23 15:16:12 2020)
Active: 20200223151612 (Sun Feb 23 15:16:12 2020)
Retired: 20200920175000 (Sun Sep 20 17:50:00 2020)
Removed: 20200930185500 (Wed Sep 30 18:55:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
ZRRSIGChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: hidden
ZRRSIGState: unretentive
GoalState: hidden
; This is the state of key 62357, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 31536000
KSK: yes
ZSK: no
Generated: 20200920175000 (Sun Sep 20 17:50:00 2020)
Published: 20200920175000 (Sun Sep 20 17:50:00 2020)
Active: 20200920175000 (Sun Sep 20 17:50:00 2020)
Retired: 20200920175500 (Sun Sep 20 17:55:00 2020)
Removed: 20200921005500 (Mon Sep 21 00:55:00 2020)
PublishCDS: 20200921185500 (Mon Sep 21 18:55:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
KRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DSChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: unretentive
KRRSIGState: unretentive
DSState: hidden
GoalState: hidden
; This is the state of key 63427, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 31536000
KSK: yes
ZSK: no
Generated: 20200920175000 (Sun Sep 20 17:50:00 2020)
Published: 20200920175000 (Sun Sep 20 17:50:00 2020)
Active: 20200920175000 (Sun Sep 20 17:50:00 2020)
Retired: 20200920175000 (Sun Sep 20 17:50:00 2020)
Removed: 20200921005000 (Mon Sep 21 00:50:00 2020)
PublishCDS: 20200921185500 (Mon Sep 21 18:55:00 2020)
DNSKEYChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
KRRSIGChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DSChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: unretentive
KRRSIGState: unretentive
DSState: hidden
GoalState: hidden
```
### What is the expected *correct* behavior?
Algorithm 15 keys should behave in the same way as algorithm 8 keys. They should not rollover the KSK if not due and should not generate so many transitions.
### Relevant configuration files
See attached policy configuration.
### Relevant logs and/or screenshots
The DNSSEC portion of the log is attached in [dnssec.log](/uploads/a45dd08418ffa8f103f9c18152c6a5a3/dnssec.log). On my setup I have 4 zones. Two have keys with algorithm 8 and two have keys with algorithm 15. In reality those are domains with TLDs .at (15), .eu (15), .com (8), .de (8). All zones have an internal and an external view. I redacted the real domain names and named them `zone-algo-15-01/02` and `zone-algo-8-01/02` respectively.
### Additional question
Bind told me that `option 'parent-registration-delay' is obsolete and should be removed`. Why is that because I found that a useful option. In this case here I had to quickly update the DS at the registries since KSKs were rolled over. Is there a replacement or how is the need for manual intervention here handled?Matthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/2172dnssec-policy behaviour for algorithm 15 keys different to algorithm 8 keys2020-10-12T08:04:41ZMichael Glanznigdnssec-policy behaviour for algorithm 15 keys different to algorithm 8 keys<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [security-officer@isc.org](security-officer@isc.org).
-->
### Summary
The new dnssec-policy seems to rollover KSKs of algorithm 15 even if no rollover is due according to the policy. Keys of algorithm 8 seem to work correctly. For KSKs and ZSKs also a lot of rollovers were generated for algorithm 15 keys after first rollout of the policy. This did not happen with algorithm 8 keys.
### BIND version used
```
BIND 9.16.7-Ubuntu (Stable Release) <id:6fd3eb7>
running on Linux x86_64 4.15.0-117-generic #118-Ubuntu SMP Fri Sep 4 20:02:41 UTC 2020
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--libexecdir=/usr/lib/x86_64-linux-gnu' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-libjson-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-HlagpL/bind9-9.16.7=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 7.5.0
compiled with OpenSSL version: OpenSSL 1.1.1 11 Sep 2018
linked to OpenSSL version: OpenSSL 1.1.1 11 Sep 2018
compiled with libuv version: 1.38.1
linked to libuv version: 1.38.1
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
compiled with json-c version: 0.12.1
linked to json-c version: 0.12.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.3.2
compiled with protobuf-c version: 1.3.1
linked to protobuf-c version: 1.3.1
threads support is enabled
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
DNSSEC root key: /etc/bind/bind.keys
nsupdate session key: //run/named/session.key
named PID file: //run/named/named.pid
named lock file: //run/named/named.lock
geoip-directory: /usr/share/GeoIP
```
### Steps to reproduce
Have two DNSSEC signed zones which are currently managed with `auto-dnssec maintain` and `inline-signing yes`. Both zones are used in a split-horizon setup and use a internal and external view. Both views use DNSSEC. One zone uses algorithm 8 for ZSK and KSK while the other zone uses algorithm 15. Keys are managed manually and have no expiry dates set. Both keys are 6 months old. Change the zones to use a dnssec-policy instead where according to the policy a ZSK rollover would be due. For policies I used see [named.conf.policy](/uploads/e280b5c6a732ebb8e87c61efbda44200/named.conf.policy).
### What is the current *bug* behavior?
The above linked policies limit the KSK validity to one year and the ZSK to 3 months. Hence the ZSKs are due for rollover, but the KSKs aren't. This works well for algorithm 8 keys. The KSK stays untouched and a new ZSK is created while the old one is retired.
State files of keys:
```
; This is the state of key 10740, for REDACTED.
Algorithm: 8
Length: 1024
Lifetime: 8035200
Predecessor: 54528
KSK: no
ZSK: yes
Generated: 20200920175000 (Sun Sep 20 17:50:00 2020)
Published: 20200920175000 (Sun Sep 20 17:50:00 2020)
Active: 20200920185500 (Sun Sep 20 18:55:00 2020)
Retired: 20201222185500 (Tue Dec 22 18:55:00 2020)
Removed: 20210101200000 (Fri Jan 1 20:00:00 2021)
DNSKEYChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
ZRRSIGChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: rumoured
ZRRSIGState: rumoured
GoalState: omnipresent
; This is the state of key 39460, for REDACTED.
Algorithm: 8
Length: 2048
Lifetime: 31536000
KSK: yes
ZSK: no
Generated: 20200307174149 (Sat Mar 7 17:41:49 2020)
Published: 20200307174149 (Sat Mar 7 17:41:49 2020)
Active: 20200307174149 (Sat Mar 7 17:41:49 2020)
Retired: 20210307174149 (Sun Mar 7 17:41:49 2021)
Removed: 20210308214149 (Mon Mar 8 21:41:49 2021)
PublishCDS: 20200308184649 (Sun Mar 8 18:46:49 2020)
DNSKEYChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
KRRSIGChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DSChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: omnipresent
KRRSIGState: omnipresent
DSState: hidden
GoalState: omnipresent
; This is the state of key 54528, for REDACTED.
Algorithm: 8
Length: 1024
Lifetime: 8035200
Successor: 10740
KSK: no
ZSK: yes
Generated: 20200307174138 (Sat Mar 7 17:41:38 2020)
Published: 20200307184138 (Sat Mar 7 18:41:38 2020)
Active: 20200307184138 (Sat Mar 7 18:41:38 2020)
Retired: 20200608184138 (Mon Jun 8 18:41:38 2020)
Removed: 20200618194638 (Thu Jun 18 19:46:38 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
ZRRSIGChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: hidden
ZRRSIGState: unretentive
GoalState: hidden
```
However, for the algorithm 15 zone also the KSK is rolled over and a lot of transitions are generated. Again the state files:
```
; This is the state of key 1385, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 31536000
KSK: yes
ZSK: no
Generated: 20200920175500 (Sun Sep 20 17:55:00 2020)
Published: 20200920175500 (Sun Sep 20 17:55:00 2020)
Active: 20200920175500 (Sun Sep 20 17:55:00 2020)
Retired: 20200920175500 (Sun Sep 20 17:55:00 2020)
Removed: 20200921005500 (Mon Sep 21 00:55:00 2020)
PublishCDS: 20200921190000 (Mon Sep 21 19:00:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
KRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DSChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DNSKEYState: unretentive
KRRSIGState: unretentive
DSState: hidden
GoalState: hidden
; This is the state of key 10893, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 8035200
KSK: no
ZSK: yes
Generated: 20200920175500 (Sun Sep 20 17:55:00 2020)
Published: 20200920175500 (Sun Sep 20 17:55:00 2020)
Active: 20200920175500 (Sun Sep 20 17:55:00 2020)
Retired: 20200920175500 (Sun Sep 20 17:55:00 2020)
Removed: 20200930190000 (Wed Sep 30 19:00:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
ZRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DNSKEYState: unretentive
ZRRSIGState: unretentive
GoalState: hidden
; This is the state of key 14222, for REDACTED.
Algorithm: 15
Length: 256
KSK: yes
ZSK: no
Generated: 20200223141731 (Sun Feb 23 14:17:31 2020)
Published: 20200223141731 (Sun Feb 23 14:17:31 2020)
Active: 20200223141731 (Sun Feb 23 14:17:31 2020)
Retired: 20200920175000 (Sun Sep 20 17:50:00 2020)
Removed: 20200921005000 (Mon Sep 21 00:50:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
KRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DSChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: hidden
KRRSIGState: hidden
DSState: hidden
GoalState: hidden
; This is the state of key 14939, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 8035200
KSK: no
ZSK: yes
Generated: 20200920175000 (Sun Sep 20 17:50:00 2020)
Published: 20200920175000 (Sun Sep 20 17:50:00 2020)
Active: 20200920175000 (Sun Sep 20 17:50:00 2020)
Retired: 20200920175000 (Sun Sep 20 17:50:00 2020)
Removed: 20200930185500 (Wed Sep 30 18:55:00 2020)
DNSKEYChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
ZRRSIGChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: unretentive
ZRRSIGState: unretentive
GoalState: hidden
; This is the state of key 46932, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 8035200
KSK: no
ZSK: yes
Generated: 20200920175000 (Sun Sep 20 17:50:00 2020)
Published: 20200920175000 (Sun Sep 20 17:50:00 2020)
Active: 20200920175000 (Sun Sep 20 17:50:00 2020)
Retired: 20200920175500 (Sun Sep 20 17:55:00 2020)
Removed: 20200930190000 (Wed Sep 30 19:00:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
ZRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DNSKEYState: unretentive
ZRRSIGState: unretentive
GoalState: hidden
; This is the state of key 47719, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 31536000
KSK: yes
ZSK: no
Generated: 20200920175500 (Sun Sep 20 17:55:00 2020)
Published: 20200920175500 (Sun Sep 20 17:55:00 2020)
Active: 20200920175500 (Sun Sep 20 17:55:00 2020)
Retired: 20210920175500 (Mon Sep 20 17:55:00 2021)
Removed: 20210921005500 (Tue Sep 21 00:55:00 2021)
PublishCDS: 20200921190000 (Mon Sep 21 19:00:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
KRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DSChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DNSKEYState: rumoured
KRRSIGState: rumoured
DSState: hidden
GoalState: omnipresent
; This is the state of key 58697, for REDACTED.
Algorithm: 15
Length: 256
Length: 256
Lifetime: 8035200
KSK: no
ZSK: yes
Generated: 20200920175500 (Sun Sep 20 17:55:00 2020)
Published: 20200920175500 (Sun Sep 20 17:55:00 2020)
Active: 20200920175500 (Sun Sep 20 17:55:00 2020)
Retired: 20201222175500 (Tue Dec 22 17:55:00 2020)
Removed: 20210101190000 (Fri Jan 1 19:00:00 2021)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
ZRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DNSKEYState: rumoured
ZRRSIGState: rumoured
GoalState: omnipresent
; This is the state of key 59076, for REDACTED.
Algorithm: 15
Length: 256
KSK: no
ZSK: yes
Generated: 20200223141612 (Sun Feb 23 14:16:12 2020)
Published: 20200223151612 (Sun Feb 23 15:16:12 2020)
Active: 20200223151612 (Sun Feb 23 15:16:12 2020)
Retired: 20200920175000 (Sun Sep 20 17:50:00 2020)
Removed: 20200930185500 (Wed Sep 30 18:55:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
ZRRSIGChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: hidden
ZRRSIGState: unretentive
GoalState: hidden
; This is the state of key 62357, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 31536000
KSK: yes
ZSK: no
Generated: 20200920175000 (Sun Sep 20 17:50:00 2020)
Published: 20200920175000 (Sun Sep 20 17:50:00 2020)
Active: 20200920175000 (Sun Sep 20 17:50:00 2020)
Retired: 20200920175500 (Sun Sep 20 17:55:00 2020)
Removed: 20200921005500 (Mon Sep 21 00:55:00 2020)
PublishCDS: 20200921185500 (Mon Sep 21 18:55:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
KRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DSChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: unretentive
KRRSIGState: unretentive
DSState: hidden
GoalState: hidden
; This is the state of key 63427, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 31536000
KSK: yes
ZSK: no
Generated: 20200920175000 (Sun Sep 20 17:50:00 2020)
Published: 20200920175000 (Sun Sep 20 17:50:00 2020)
Active: 20200920175000 (Sun Sep 20 17:50:00 2020)
Retired: 20200920175000 (Sun Sep 20 17:50:00 2020)
Removed: 20200921005000 (Mon Sep 21 00:50:00 2020)
PublishCDS: 20200921185500 (Mon Sep 21 18:55:00 2020)
DNSKEYChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
KRRSIGChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DSChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: unretentive
KRRSIGState: unretentive
DSState: hidden
GoalState: hidden
```
### What is the expected *correct* behavior?
Algorithm 15 keys should behave in the same way as algorithm 8 keys. They should not rollover the KSK if not due and should not generate so many transitions.
### Relevant configuration files
See attached policy configuration.
### Relevant logs and/or screenshots
The DNSSEC portion of the log is attached in [dnssec.log](/uploads/a45dd08418ffa8f103f9c18152c6a5a3/dnssec.log). On my setup I have 4 zones. Two have keys with algorithm 8 and two have keys with algorithm 15. In reality those are domains with TLDs .at (15), .eu (15), .com (8), .de (8). All zones have an internal and an external view. I redacted the real domain names and named them `zone-algo-15-01/02` and `zone-algo-8-01/02` respectively.
### Additional question
Bind told me that `option 'parent-registration-delay' is obsolete and should be removed`. Why is that because I found that a useful option. In this case here I had to quickly update the DS at the registries since KSKs were rolled over. Is there a replacement or how is the need for manual intervention here handled?https://gitlab.isc.org/isc-projects/bind9/-/issues/2171dnssec-policy behaviour for algorithm 15 keys different to algorithm 8 keys2020-10-12T08:04:21ZMichael Glanznigdnssec-policy behaviour for algorithm 15 keys different to algorithm 8 keys<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [security-officer@isc.org](security-officer@isc.org).
-->
### Summary
The new dnssec-policy seems to rollover KSKs of algorithm 15 even if no rollover is due according to the policy. Keys of algorithm 8 seem to work correctly. For KSKs and ZSKs also a lot of rollovers were generated for algorithm 15 keys after first rollout of the policy. This did not happen with algorithm 8 keys.
### BIND version used
```
BIND 9.16.7-Ubuntu (Stable Release) <id:6fd3eb7>
running on Linux x86_64 4.15.0-117-generic #118-Ubuntu SMP Fri Sep 4 20:02:41 UTC 2020
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--libexecdir=/usr/lib/x86_64-linux-gnu' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-libjson-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-HlagpL/bind9-9.16.7=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 7.5.0
compiled with OpenSSL version: OpenSSL 1.1.1 11 Sep 2018
linked to OpenSSL version: OpenSSL 1.1.1 11 Sep 2018
compiled with libuv version: 1.38.1
linked to libuv version: 1.38.1
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
compiled with json-c version: 0.12.1
linked to json-c version: 0.12.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.3.2
compiled with protobuf-c version: 1.3.1
linked to protobuf-c version: 1.3.1
threads support is enabled
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
DNSSEC root key: /etc/bind/bind.keys
nsupdate session key: //run/named/session.key
named PID file: //run/named/named.pid
named lock file: //run/named/named.lock
geoip-directory: /usr/share/GeoIP
```
### Steps to reproduce
Have two DNSSEC signed zones which are currently managed with `auto-dnssec maintain` and `inline-signing yes`. Both zones are used in a split-horizon setup and use a internal and external view. Both views use DNSSEC. One zone uses algorithm 8 for ZSK and KSK while the other zone uses algorithm 15. Keys are managed manually and have no expiry dates set. Both keys are 6 months old. Change the zones to use a dnssec-policy instead where according to the policy a ZSK rollover would be due. For policies I used see [named.conf.policy](/uploads/e280b5c6a732ebb8e87c61efbda44200/named.conf.policy).
### What is the current *bug* behavior?
The above linked policies limit the KSK validity to one year and the ZSK to 3 months. Hence the ZSKs are due for rollover, but the KSKs aren't. This works well for algorithm 8 keys. The KSK stays untouched and a new ZSK is created while the old one is retired.
State files of keys:
```
; This is the state of key 10740, for REDACTED.
Algorithm: 8
Length: 1024
Lifetime: 8035200
Predecessor: 54528
KSK: no
ZSK: yes
Generated: 20200920175000 (Sun Sep 20 17:50:00 2020)
Published: 20200920175000 (Sun Sep 20 17:50:00 2020)
Active: 20200920185500 (Sun Sep 20 18:55:00 2020)
Retired: 20201222185500 (Tue Dec 22 18:55:00 2020)
Removed: 20210101200000 (Fri Jan 1 20:00:00 2021)
DNSKEYChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
ZRRSIGChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: rumoured
ZRRSIGState: rumoured
GoalState: omnipresent
; This is the state of key 39460, for REDACTED.
Algorithm: 8
Length: 2048
Lifetime: 31536000
KSK: yes
ZSK: no
Generated: 20200307174149 (Sat Mar 7 17:41:49 2020)
Published: 20200307174149 (Sat Mar 7 17:41:49 2020)
Active: 20200307174149 (Sat Mar 7 17:41:49 2020)
Retired: 20210307174149 (Sun Mar 7 17:41:49 2021)
Removed: 20210308214149 (Mon Mar 8 21:41:49 2021)
PublishCDS: 20200308184649 (Sun Mar 8 18:46:49 2020)
DNSKEYChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
KRRSIGChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DSChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: omnipresent
KRRSIGState: omnipresent
DSState: hidden
GoalState: omnipresent
; This is the state of key 54528, for REDACTED.
Algorithm: 8
Length: 1024
Lifetime: 8035200
Successor: 10740
KSK: no
ZSK: yes
Generated: 20200307174138 (Sat Mar 7 17:41:38 2020)
Published: 20200307184138 (Sat Mar 7 18:41:38 2020)
Active: 20200307184138 (Sat Mar 7 18:41:38 2020)
Retired: 20200608184138 (Mon Jun 8 18:41:38 2020)
Removed: 20200618194638 (Thu Jun 18 19:46:38 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
ZRRSIGChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: hidden
ZRRSIGState: unretentive
GoalState: hidden
```
However, for the algorithm 15 zone also the KSK is rolled over and a lot of transitions are generated. Again the state files:
```
; This is the state of key 1385, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 31536000
KSK: yes
ZSK: no
Generated: 20200920175500 (Sun Sep 20 17:55:00 2020)
Published: 20200920175500 (Sun Sep 20 17:55:00 2020)
Active: 20200920175500 (Sun Sep 20 17:55:00 2020)
Retired: 20200920175500 (Sun Sep 20 17:55:00 2020)
Removed: 20200921005500 (Mon Sep 21 00:55:00 2020)
PublishCDS: 20200921190000 (Mon Sep 21 19:00:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
KRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DSChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DNSKEYState: unretentive
KRRSIGState: unretentive
DSState: hidden
GoalState: hidden
; This is the state of key 10893, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 8035200
KSK: no
ZSK: yes
Generated: 20200920175500 (Sun Sep 20 17:55:00 2020)
Published: 20200920175500 (Sun Sep 20 17:55:00 2020)
Active: 20200920175500 (Sun Sep 20 17:55:00 2020)
Retired: 20200920175500 (Sun Sep 20 17:55:00 2020)
Removed: 20200930190000 (Wed Sep 30 19:00:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
ZRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DNSKEYState: unretentive
ZRRSIGState: unretentive
GoalState: hidden
; This is the state of key 14222, for REDACTED.
Algorithm: 15
Length: 256
KSK: yes
ZSK: no
Generated: 20200223141731 (Sun Feb 23 14:17:31 2020)
Published: 20200223141731 (Sun Feb 23 14:17:31 2020)
Active: 20200223141731 (Sun Feb 23 14:17:31 2020)
Retired: 20200920175000 (Sun Sep 20 17:50:00 2020)
Removed: 20200921005000 (Mon Sep 21 00:50:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
KRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DSChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: hidden
KRRSIGState: hidden
DSState: hidden
GoalState: hidden
; This is the state of key 14939, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 8035200
KSK: no
ZSK: yes
Generated: 20200920175000 (Sun Sep 20 17:50:00 2020)
Published: 20200920175000 (Sun Sep 20 17:50:00 2020)
Active: 20200920175000 (Sun Sep 20 17:50:00 2020)
Retired: 20200920175000 (Sun Sep 20 17:50:00 2020)
Removed: 20200930185500 (Wed Sep 30 18:55:00 2020)
DNSKEYChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
ZRRSIGChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: unretentive
ZRRSIGState: unretentive
GoalState: hidden
; This is the state of key 46932, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 8035200
KSK: no
ZSK: yes
Generated: 20200920175000 (Sun Sep 20 17:50:00 2020)
Published: 20200920175000 (Sun Sep 20 17:50:00 2020)
Active: 20200920175000 (Sun Sep 20 17:50:00 2020)
Retired: 20200920175500 (Sun Sep 20 17:55:00 2020)
Removed: 20200930190000 (Wed Sep 30 19:00:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
ZRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DNSKEYState: unretentive
ZRRSIGState: unretentive
GoalState: hidden
; This is the state of key 47719, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 31536000
KSK: yes
ZSK: no
Generated: 20200920175500 (Sun Sep 20 17:55:00 2020)
Published: 20200920175500 (Sun Sep 20 17:55:00 2020)
Active: 20200920175500 (Sun Sep 20 17:55:00 2020)
Retired: 20210920175500 (Mon Sep 20 17:55:00 2021)
Removed: 20210921005500 (Tue Sep 21 00:55:00 2021)
PublishCDS: 20200921190000 (Mon Sep 21 19:00:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
KRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DSChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DNSKEYState: rumoured
KRRSIGState: rumoured
DSState: hidden
GoalState: omnipresent
; This is the state of key 58697, for REDACTED.
Algorithm: 15
Length: 256
Length: 256
Lifetime: 8035200
KSK: no
ZSK: yes
Generated: 20200920175500 (Sun Sep 20 17:55:00 2020)
Published: 20200920175500 (Sun Sep 20 17:55:00 2020)
Active: 20200920175500 (Sun Sep 20 17:55:00 2020)
Retired: 20201222175500 (Tue Dec 22 17:55:00 2020)
Removed: 20210101190000 (Fri Jan 1 19:00:00 2021)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
ZRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DNSKEYState: rumoured
ZRRSIGState: rumoured
GoalState: omnipresent
; This is the state of key 59076, for REDACTED.
Algorithm: 15
Length: 256
KSK: no
ZSK: yes
Generated: 20200223141612 (Sun Feb 23 14:16:12 2020)
Published: 20200223151612 (Sun Feb 23 15:16:12 2020)
Active: 20200223151612 (Sun Feb 23 15:16:12 2020)
Retired: 20200920175000 (Sun Sep 20 17:50:00 2020)
Removed: 20200930185500 (Wed Sep 30 18:55:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
ZRRSIGChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: hidden
ZRRSIGState: unretentive
GoalState: hidden
; This is the state of key 62357, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 31536000
KSK: yes
ZSK: no
Generated: 20200920175000 (Sun Sep 20 17:50:00 2020)
Published: 20200920175000 (Sun Sep 20 17:50:00 2020)
Active: 20200920175000 (Sun Sep 20 17:50:00 2020)
Retired: 20200920175500 (Sun Sep 20 17:55:00 2020)
Removed: 20200921005500 (Mon Sep 21 00:55:00 2020)
PublishCDS: 20200921185500 (Mon Sep 21 18:55:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
KRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DSChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: unretentive
KRRSIGState: unretentive
DSState: hidden
GoalState: hidden
; This is the state of key 63427, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 31536000
KSK: yes
ZSK: no
Generated: 20200920175000 (Sun Sep 20 17:50:00 2020)
Published: 20200920175000 (Sun Sep 20 17:50:00 2020)
Active: 20200920175000 (Sun Sep 20 17:50:00 2020)
Retired: 20200920175000 (Sun Sep 20 17:50:00 2020)
Removed: 20200921005000 (Mon Sep 21 00:50:00 2020)
PublishCDS: 20200921185500 (Mon Sep 21 18:55:00 2020)
DNSKEYChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
KRRSIGChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DSChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: unretentive
KRRSIGState: unretentive
DSState: hidden
GoalState: hidden
```
### What is the expected *correct* behavior?
Algorithm 15 keys should behave in the same way as algorithm 8 keys. They should not rollover the KSK if not due and should not generate so many transitions.
### Relevant configuration files
See attached policy configuration.
### Relevant logs and/or screenshots
The DNSSEC portion of the log is attached in [dnssec.log](/uploads/a45dd08418ffa8f103f9c18152c6a5a3/dnssec.log). On my setup I have 4 zones. Two have keys with algorithm 8 and two have keys with algorithm 15. In reality those are domains with TLDs .at (15), .eu (15), .com (8), .de (8). All zones have an internal and an external view. I redacted the real domain names and named them `zone-algo-15-01/02` and `zone-algo-8-01/02` respectively.
### Additional question
Bind told me that `option 'parent-registration-delay' is obsolete and should be removed`. Why is that because I found that a useful option. In this case here I had to quickly update the DS at the registries since KSKs were rolled over. Is there a replacement or how is the need for manual intervention handled here?October 2020 (9.11.24, 9.11.24-S1, 9.16.8, 9.16.8-S1, 9.17.6)Matthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/2170rndc reconfig and plugin2020-09-21T13:06:57ZWayne Epsteinrndc reconfig and plugin### Summary
Not positive this is a bug but it seems odd to me.
When rndc reconfig is run a plugin will be loaded and then unloaded.
### BIND version used
```
BIND 9.14.6 (Stable Release) <id:unset_id>
running on Linux x86_64 4.19.0-9-...### Summary
Not positive this is a bug but it seems odd to me.
When rndc reconfig is run a plugin will be loaded and then unloaded.
### BIND version used
```
BIND 9.14.6 (Stable Release) <id:unset_id>
running on Linux x86_64 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29)
built by make with '--enable-dnstap' '--enable-dnsrps' '--sysconfdir=/etc/bind'
compiled by GCC 8.3.0
compiled with OpenSSL version: OpenSSL 1.1.1d 10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.1d 10 Sep 2019
threads support is enabled
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
DNSSEC root key: /etc/bind/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lock
```
### Steps to reproduce
configure a plugin<br>
start bind9<br>
rndc reconfig<br>
look at named.run
### What is the current *bug* behavior?
When rndc reconfig is run a plugin is loaded and then unloaded - see named.run.
### What is the expected *correct* behavior?
Would expect plugin to be unloaded and then loaded.
### Relevant configuration files
n/a
### Relevant logs and/or screenshots
```
14-Sep-2020 15:16:02.445 config: info: none:100: 'max-cache-size 90%' - setting to 3414MB (out of 3793MB)
14-Sep-2020 15:16:02.445 config: info: /etc/bind/named.conf.options:8: using specific query-source port suppresses port randomization and can be insecure.
14-Sep-2020 15:16:02.448 general: debug 1: managed-keys-zone: synchronizing trusted keys
!!!! 14-Sep-2020 15:16:02.448 general: info: loading plugin '/home/wepp/source/bind/bind9-v9_14/bin/plugins/filter-aaaa.so'
14-Sep-2020 15:16:02.448 general: info: registering plugin '/home/wepp/source/bind/bind9-v9_14/bin/plugins/filter-aaaa.so'
14-Sep-2020 15:16:02.448 general: info: registering 'filter-aaaa' module from /etc/bind/named.conf:28, with parameters
14-Sep-2020 15:16:02.449 general: debug 1: zone_settimer: zone version.bind/CH: enter
14-Sep-2020 15:16:02.449 general: debug 1: zone_settimer: zone hostname.bind/CH: enter
14-Sep-2020 15:16:02.449 general: debug 1: zone_settimer: zone authors.bind/CH: enter
14-Sep-2020 15:16:02.449 general: debug 1: zone_settimer: zone id.server/CH: enter
14-Sep-2020 15:16:02.449 config: info: none:100: 'max-cache-size 90%' - setting to 3414MB (out of 3793MB)
14-Sep-2020 15:16:02.449 config: info: /etc/bind/named.conf.options:8: using specific query-source port suppresses port randomization and can be insecure.
14-Sep-2020 15:16:02.452 general: info: configuring command channel from '/etc/bind/rndc.key'
14-Sep-2020 15:16:02.452 general: info: configuring command channel from '/etc/bind/rndc.key'
14-Sep-2020 15:16:02.452 general: debug 1: now using logging configuration from config file
14-Sep-2020 15:16:02.453 general: debug 1: load_configuration: success
14-Sep-2020 15:16:02.453 general: info: reloading configuration succeeded
14-Sep-2020 15:16:02.454 general: info: scheduled loading new zones
14-Sep-2020 15:16:02.455 database: debug 1: calling free_rbtdb(.)
14-Sep-2020 15:16:02.455 database: debug 1: done free_rbtdb(.)
!!!! 14-Sep-2020 15:16:02.455 general: debug 1: unloading plugin '/home/wepp/source/bind/bind9-v9_14/bin/plugins/filter-aaaa.so'
14-Sep-2020 15:16:02.456 general: info: any newly configured zones are now loaded
```
### Possible fixes
unknownhttps://gitlab.isc.org/isc-projects/kea/-/issues/1424Escape character code in keactrl (missed)2021-09-30T18:01:44ZFrancis DupontEscape character code in keactrl (missed)#1200 fixed some but not all \e vs \033 issues.
https://gitlab.isc.org/isc-projects/kea/-/merge_requests/757#note_164489#1200 fixed some but not all \e vs \033 issues.
https://gitlab.isc.org/isc-projects/kea/-/merge_requests/757#note_164489kea1.9.2https://gitlab.isc.org/isc-projects/kea/-/issues/1423Generate tests for syntax entry uniqueness2020-10-20T12:39:47ZFrancis DupontGenerate tests for syntax entry uniquenessThe following discussion from #1102 !928 should be addressed:
- [ ] @marcin started a [discussion](https://gitlab.isc.org/isc-projects/kea/-/merge_requests/928#note_163552): (+3 comments)
> It would be good to extend these tests t...The following discussion from #1102 !928 should be addressed:
- [ ] @marcin started a [discussion](https://gitlab.isc.org/isc-projects/kea/-/merge_requests/928#note_163552): (+3 comments)
> It would be good to extend these tests to have a list of all supported parameters and iterate over them and see if an error is raised when they are duplicated. This test only covers selected ones.kea1.9.1Francis DupontFrancis Duponthttps://gitlab.isc.org/isc-projects/kea/-/issues/1422compilation warning on Ubuntu 20.042020-10-02T11:40:38ZTomek Mrugalskicompilation warning on Ubuntu 20.04Just a minor thing:
```
make[6]: Entering directory '/home/thomson/devel/kea/kea-1.9.0-git/_build/sub/src/lib/asiolink'
CXX libkea_asiolink_la-addr_utilities.lo
../../../../../src/lib/asiolink/addr_utilities.cc: In function ‘isc:...Just a minor thing:
```
make[6]: Entering directory '/home/thomson/devel/kea/kea-1.9.0-git/_build/sub/src/lib/asiolink'
CXX libkea_asiolink_la-addr_utilities.lo
../../../../../src/lib/asiolink/addr_utilities.cc: In function ‘isc::asiolink::IOAddress isc::asiolink::offsetAddress(const isc::asiolink::IOAddress&, uint64_t)’:
../../../../../src/lib/asiolink/addr_utilities.cc:396:9: warning: unused variable ‘offset_idx’ [-Wunused-variable]
396 | int offset_idx = 0;
| ^~~~~~~~~~
```kea1.9.1Tomek MrugalskiTomek Mrugalski