Changing from auto-dnssec maintain to dnssec-policy x immediately deletes existing keys
Summary
Trying to migrate an already signed zone from auto-dnssec maintain to dnssec-policy x leads to immediate replacement of all keys (not even doing a normal rollover).
Also discussed on bind-users: https://lists.isc.org/pipermail/bind-users/2020-March/102817.html
BIND version used
$ named -V
BIND 9.16.1 (Stable Release) <id:d497c32>
running on Linux x86_64 5.3.0-42-generic #34-Ubuntu SMP Fri Feb 28 05:49:40 UTC 2020
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--libexecdir=/usr/lib/x86_64-linux-gnu' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-libjson-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-4Ash1G/bind9-9.16.1=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 9.2.1 20191008
compiled with OpenSSL version: OpenSSL 1.1.1c 28 May 2019
linked to OpenSSL version: OpenSSL 1.1.1c 28 May 2019
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
compiled with json-c version: 0.13.1
linked to json-c version: 0.13.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.3.2
compiled with protobuf-c version: 1.3.1
linked to protobuf-c version: 1.3.1
threads support is enabled
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
DNSSEC root key: /etc/bind/bind.keys
nsupdate session key: //run/named/session.key
named PID file: //run/named/named.pid
named lock file: //run/named/named.lock
geoip-directory: /usr/share/GeoIP
$Steps to reproduce
- Change
auto-dnssec maintain;todnssec-policy x;. - Restart/reload.
What is the current bug behavior?
All existing keys (including KSK) are immediately deleted and replaced with new keys.
What is the expected correct behavior?
Existing keys continue to be used if compatible. If not compatible, I would think that some rollover procedure should be initiated?
Relevant configuration files
Policy for test purposes (named to keep track of what is what while testing):
dnssec-policy alg13-ksk-unlimited-zsk-60day {
keys {
ksk key-directory lifetime unlimited algorithm ECDSAP256SHA256;
zsk key-directory lifetime P60D algorithm ECDSAP256SHA256;
};
};(Existing keys are separate KSK+ZSK, ECDSAP256SHA256)
Zone configuration (pretty typical):
zone "zone.example" {
notify yes;
type master;
allow-transfer { x; };
also-notify { x; };
file "/var/lib/bind/dynamic/zone.example/db.zone.example";
update-policy { grant local-ddns zonesub any; grant edit-x. zonesub any; };
key-directory "/var/lib/bind/dynamic/zone.example";
# auto-dnssec maintain;
dnssec-policy alg13-ksk-unlimited-zsk-60day;
};Existing keys only have the normal timings:
; Created:
; Publish:
; Activate:Relevant logs and/or screenshots
Debug level DNSSEC log from starting BIND with this configuration change:
zone zone.example/IN (signed): reconfiguring zone keys
keymgr: keyring: dnskey zone.example/ECDSAP256SHA256/20481 (policy alg13-ksk-unlimited-zsk-60day)
keymgr: keyring: dnskey zone.example/ECDSAP256SHA256/12506 (policy alg13-ksk-unlimited-zsk-60day)
keymgr: DNSKEY zone.example/ECDSAP256SHA256/20481 (ZSK) matches policy alg13-ksk-unlimited-zsk-60day
keymgr: DNSKEY zone.example/ECDSAP256SHA256/12506 (KSK) matches policy alg13-ksk-unlimited-zsk-60day
keymgr: no active key found for zone.example (policy alg13-ksk-unlimited-zsk-60day)
keymgr: DNSKEY zone.example/ECDSAP256SHA256/56446 (KSK) created for policy alg13-ksk-unlimited-zsk-60day
keymgr: no active key found for zone.example (policy alg13-ksk-unlimited-zsk-60day)
keymgr: DNSKEY zone.example/ECDSAP256SHA256/64179 (ZSK) created for policy alg13-ksk-unlimited-zsk-60day
keymgr: examine ZSK zone.example/ECDSAP256SHA256/20481 type DNSKEY in state HIDDEN
keymgr: ZSK zone.example/ECDSAP256SHA256/20481 type DNSKEY in stable state HIDDEN
keymgr: examine ZSK zone.example/ECDSAP256SHA256/20481 type ZRRSIG in state HIDDEN
keymgr: ZSK zone.example/ECDSAP256SHA256/20481 type ZRRSIG in stable state HIDDEN
keymgr: examine KSK zone.example/ECDSAP256SHA256/12506 type DNSKEY in state HIDDEN
keymgr: KSK zone.example/ECDSAP256SHA256/12506 type DNSKEY in stable state HIDDEN
keymgr: examine KSK zone.example/ECDSAP256SHA256/12506 type KRRSIG in state HIDDEN
keymgr: KSK zone.example/ECDSAP256SHA256/12506 type KRRSIG in stable state HIDDEN
keymgr: examine KSK zone.example/ECDSAP256SHA256/12506 type DS in state HIDDEN
keymgr: KSK zone.example/ECDSAP256SHA256/12506 type DS in stable state HIDDEN
keymgr: examine KSK zone.example/ECDSAP256SHA256/56446 type DNSKEY in state HIDDEN
keymgr: can we transition KSK zone.example/ECDSAP256SHA256/56446 type DNSKEY state HIDDEN to state RUMOURED?
keymgr: dnssec evaluation of KSK zone.example/ECDSAP256SHA256/56446 record DNSKEY: rule1=(~false or false) rule2=(~true or true) rule3=(~true or true)
keymgr: transition KSK zone.example/ECDSAP256SHA256/56446 type DNSKEY state HIDDEN to state RUMOURED!
keymgr: examine KSK zone.example/ECDSAP256SHA256/56446 type KRRSIG in state HIDDEN
keymgr: can we transition KSK zone.example/ECDSAP256SHA256/56446 type KRRSIG state HIDDEN to state RUMOURED?
keymgr: dnssec evaluation of KSK zone.example/ECDSAP256SHA256/56446 record KRRSIG: rule1=(~false or false) rule2=(~true or true) rule3=(~true or true)
keymgr: transition KSK zone.example/ECDSAP256SHA256/56446 type KRRSIG state HIDDEN to state RUMOURED!
keymgr: examine KSK zone.example/ECDSAP256SHA256/56446 type DS in state HIDDEN
keymgr: can we transition KSK zone.example/ECDSAP256SHA256/56446 type DS state HIDDEN to state RUMOURED?
keymgr: policy says no to KSK zone.example/ECDSAP256SHA256/56446 type DS state HIDDEN to state RUMOURED
keymgr: examine ZSK zone.example/ECDSAP256SHA256/64179 type DNSKEY in state HIDDEN
keymgr: can we transition ZSK zone.example/ECDSAP256SHA256/64179 type DNSKEY state HIDDEN to state RUMOURED?
keymgr: dnssec evaluation of ZSK zone.example/ECDSAP256SHA256/64179 record DNSKEY: rule1=(~false or false) rule2=(~true or true) rule3=(~true or true)
keymgr: transition ZSK zone.example/ECDSAP256SHA256/64179 type DNSKEY state HIDDEN to state RUMOURED!
keymgr: examine ZSK zone.example/ECDSAP256SHA256/64179 type ZRRSIG in state HIDDEN
keymgr: can we transition ZSK zone.example/ECDSAP256SHA256/64179 type ZRRSIG state HIDDEN to state RUMOURED?
keymgr: dnssec evaluation of ZSK zone.example/ECDSAP256SHA256/64179 record ZRRSIG: rule1=(~false or false) rule2=(~true or true) rule3=(~true or true)
keymgr: transition ZSK zone.example/ECDSAP256SHA256/64179 type ZRRSIG state HIDDEN to state RUMOURED!
keymgr: examine ZSK zone.example/ECDSAP256SHA256/20481 type DNSKEY in state HIDDEN
keymgr: ZSK zone.example/ECDSAP256SHA256/20481 type DNSKEY in stable state HIDDEN
keymgr: examine ZSK zone.example/ECDSAP256SHA256/20481 type ZRRSIG in state HIDDEN
keymgr: ZSK zone.example/ECDSAP256SHA256/20481 type ZRRSIG in stable state HIDDEN
keymgr: examine KSK zone.example/ECDSAP256SHA256/12506 type DNSKEY in state HIDDEN
keymgr: KSK zone.example/ECDSAP256SHA256/12506 type DNSKEY in stable state HIDDEN
keymgr: examine KSK zone.example/ECDSAP256SHA256/12506 type KRRSIG in state HIDDEN
keymgr: KSK zone.example/ECDSAP256SHA256/12506 type KRRSIG in stable state HIDDEN
keymgr: examine KSK zone.example/ECDSAP256SHA256/12506 type DS in state HIDDEN
keymgr: KSK zone.example/ECDSAP256SHA256/12506 type DS in stable state HIDDEN
keymgr: examine KSK zone.example/ECDSAP256SHA256/56446 type DNSKEY in state RUMOURED
keymgr: can we transition KSK zone.example/ECDSAP256SHA256/56446 type DNSKEY state RUMOURED to state OMNIPRESENT?
keymgr: dnssec evaluation of KSK zone.example/ECDSAP256SHA256/56446 record DNSKEY: rule1=(~false or false) rule2=(~true or true) rule3=(~true or true)
keymgr: time says no to KSK zone.example/ECDSAP256SHA256/56446 type DNSKEY state RUMOURED to state OMNIPRESENT (wait 7500 seconds)
keymgr: examine KSK zone.example/ECDSAP256SHA256/56446 type KRRSIG in state RUMOURED
keymgr: can we transition KSK zone.example/ECDSAP256SHA256/56446 type KRRSIG state RUMOURED to state OMNIPRESENT?
keymgr: dnssec evaluation of KSK zone.example/ECDSAP256SHA256/56446 record KRRSIG: rule1=(~false or false) rule2=(~true or true) rule3=(~true or true)
keymgr: time says no to KSK zone.example/ECDSAP256SHA256/56446 type KRRSIG state RUMOURED to state OMNIPRESENT (wait 7500 seconds)
keymgr: examine KSK zone.example/ECDSAP256SHA256/56446 type DS in state HIDDEN
keymgr: can we transition KSK zone.example/ECDSAP256SHA256/56446 type DS state HIDDEN to state RUMOURED?
keymgr: policy says no to KSK zone.example/ECDSAP256SHA256/56446 type DS state HIDDEN to state RUMOURED
keymgr: examine ZSK zone.example/ECDSAP256SHA256/64179 type DNSKEY in state RUMOURED
keymgr: can we transition ZSK zone.example/ECDSAP256SHA256/64179 type DNSKEY state RUMOURED to state OMNIPRESENT?
keymgr: dnssec evaluation of ZSK zone.example/ECDSAP256SHA256/64179 record DNSKEY: rule1=(~false or false) rule2=(~true or true) rule3=(~true or true)
keymgr: time says no to ZSK zone.example/ECDSAP256SHA256/64179 type DNSKEY state RUMOURED to state OMNIPRESENT (wait 7500 seconds)
keymgr: examine ZSK zone.example/ECDSAP256SHA256/64179 type ZRRSIG in state RUMOURED
keymgr: can we transition ZSK zone.example/ECDSAP256SHA256/64179 type ZRRSIG state RUMOURED to state OMNIPRESENT?
keymgr: dnssec evaluation of ZSK zone.example/ECDSAP256SHA256/64179 record ZRRSIG: rule1=(~false or false) rule2=(~true or true) rule3=(~true or true)
keymgr: time says no to ZSK zone.example/ECDSAP256SHA256/64179 type ZRRSIG state RUMOURED to state OMNIPRESENT (wait 90300 seconds)
Removing expired key 20481/ECDSAP256SHA256 from DNSKEY RRset.
DNSKEY zone.example/ECDSAP256SHA256/20481 (ZSK) is now deleted
Removing expired key 12506/ECDSAP256SHA256 from DNSKEY RRset.
DNSKEY zone.example/ECDSAP256SHA256/12506 (KSK) is now deleted
Fetching zone.example/ECDSAP256SHA256/56446 (KSK) from key repository.
DNSKEY zone.example/ECDSAP256SHA256/56446 (KSK) is now published
DNSKEY zone.example/ECDSAP256SHA256/56446 (KSK) is now active
Fetching zone.example/ECDSAP256SHA256/64179 (ZSK) from key repository.
DNSKEY zone.example/ECDSAP256SHA256/64179 (ZSK) is now published
DNSKEY zone.example/ECDSAP256SHA256/64179 (ZSK) is now active
zone zone.example/IN (signed): next key event in 7500 seconds
zone zone.example/IN (signed): next key event: 26-Mar-2020 20:53:34.338Possible fixes
None known.
One idea put forward was that the TTL field in the .key file did not match the policy (which it did not, .key file had the dnssec-keygen default: omitted TTL) but adding the same TTL to the key file did not appear to change the overall behavior.