Skip to content

Running dnssec-keymgr with old keys inactivates/deletes them immediately

Tested with 9.11.2, but I haven't seen any commits in master that would fix this, so reporting anyway

When you run dnssec-keymgr with keys that are older (Activation Time further in the past) than the configured (or default) roll-period, the keys are set to be inactive/deleted at a date way in the past. You can easily test this with the default policy by creating a ZSK that has been activated 2 years in the past

# dnssec-keygen -f KSK -A -2y -a RSASHA256 -b 2048 example.com
Generating key pair......................................................+++ .........................................+++ 
Kexample.com.+008+37477

# dnssec-keygen -A -2y -a RSASHA256 -b 2048 example.com
Generating key pair....................................+++ ....................+++ 
Kexample.com.+008+19905

# dnssec-coverage 
WARNING: Maximum TTL value was not specified.  Using 1 week
         (604800 seconds); re-run with the -m option to get more
         accurate results.
PHASE 1--Loading keys to check for internal timing problems

PHASE 2--Scanning future key events for coverage failures
Checking scheduled KSK events for zone example.com, algorithm RSASHA256...
  Sun Feb 28 16:02:23 UTC 2016:
    Publish: example.com/RSASHA256/37477 (KSK)
    Activate: example.com/RSASHA256/37477 (KSK)

No errors found

Checking scheduled ZSK events for zone example.com, algorithm RSASHA256...
  Sun Feb 28 16:02:25 UTC 2016:
    Publish: example.com/RSASHA256/19905 (ZSK)
    Activate: example.com/RSASHA256/19905 (ZSK)

No errors found
; This is a zone-signing key, keyid 19905, for example.com.
; Created: 20180227160225 (Tue Feb 27 17:02:25 2018)
; Publish: 20160228160225 (Sun Feb 28 17:02:25 2016)
; Activate: 20160228160225 (Sun Feb 28 17:02:25 2016)

Now running dnssec-keymgr sets the key to Inactivate at Publish+1y (which is 1 year in the past) and delete a month later. Additionally there the generation of the NEW ZSK fails with a Python error, which leaves the zone without any active ZSK

# dnssec-keymgr 
# /usr/sbin/dnssec-settime -K . -I 20170227160225 -D 20170329160225 Kexample.com.+008+19905
# /usr/sbin/dnssec-keygen -q -K . -S Kexample.com.+008+19905 -L 3600 -i 2592000
Unable to apply policy: example.com/RSASHA256: Can't convert 'bytes' object to str implicitly
; This is a zone-signing key, keyid 19905, for example.com.
; Created: 20180227160225 (Tue Feb 27 17:02:25 2018)
; Publish: 20160228160225 (Sun Feb 28 17:02:25 2016)
; Activate: 20160228160225 (Sun Feb 28 17:02:25 2016)
; Inactive: 20170227160225 (Mon Feb 27 17:02:25 2017)
; Delete: 20170329160225 (Wed Mar 29 18:02:25 2017)

The next run of dnssec-keymgr generates a new ZSK.

In the end this creates a completely messed up ZSK rollover where the DNSKEY is pulled immediately without a new ZSK being present.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information