Skip to content

dnssec-policy behaviour for algorithm 15 keys different to algorithm 8 keys

Summary

The new dnssec-policy seems to rollover KSKs of algorithm 15 even if no rollover is due according to the policy. Keys of algorithm 8 seem to work correctly. For KSKs and ZSKs also a lot of rollovers were generated for algorithm 15 keys after first rollout of the policy. This did not happen with algorithm 8 keys.

BIND version used

BIND 9.16.7-Ubuntu (Stable Release) <id:6fd3eb7>
running on Linux x86_64 4.15.0-117-generic #118-Ubuntu SMP Fri Sep 4 20:02:41 UTC 2020
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--libexecdir=/usr/lib/x86_64-linux-gnu' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-libjson-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-HlagpL/bind9-9.16.7=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 7.5.0
compiled with OpenSSL version: OpenSSL 1.1.1  11 Sep 2018
linked to OpenSSL version: OpenSSL 1.1.1  11 Sep 2018
compiled with libuv version: 1.38.1
linked to libuv version: 1.38.1
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
compiled with json-c version: 0.12.1
linked to json-c version: 0.12.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.3.2
compiled with protobuf-c version: 1.3.1
linked to protobuf-c version: 1.3.1
threads support is enabled

default paths:
  named configuration:  /etc/bind/named.conf
  rndc configuration:   /etc/bind/rndc.conf
  DNSSEC root key:      /etc/bind/bind.keys
  nsupdate session key: //run/named/session.key
  named PID file:       //run/named/named.pid
  named lock file:      //run/named/named.lock
  geoip-directory:      /usr/share/GeoIP

Steps to reproduce

Have two DNSSEC signed zones which are currently managed with auto-dnssec maintain and inline-signing yes. Both zones are used in a split-horizon setup and use a internal and external view. Both views use DNSSEC. One zone uses algorithm 8 for ZSK and KSK while the other zone uses algorithm 15. Keys are managed manually and have no expiry dates set. Both keys are 6 months old. Change the zones to use a dnssec-policy instead where according to the policy a ZSK rollover would be due. For policies I used see named.conf.policy.

What is the current bug behavior?

The above linked policies limit the KSK validity to one year and the ZSK to 3 months. Hence the ZSKs are due for rollover, but the KSKs aren't. This works well for algorithm 8 keys. The KSK stays untouched and a new ZSK is created while the old one is retired.

State files of keys:

; This is the state of key 10740, for REDACTED.
Algorithm: 8
Length: 1024
Lifetime: 8035200
Predecessor: 54528
KSK: no
ZSK: yes
Generated: 20200920175000 (Sun Sep 20 17:50:00 2020)
Published: 20200920175000 (Sun Sep 20 17:50:00 2020)
Active: 20200920185500 (Sun Sep 20 18:55:00 2020)
Retired: 20201222185500 (Tue Dec 22 18:55:00 2020)
Removed: 20210101200000 (Fri Jan  1 20:00:00 2021)
DNSKEYChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
ZRRSIGChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: rumoured
ZRRSIGState: rumoured
GoalState: omnipresent

; This is the state of key 39460, for REDACTED.
Algorithm: 8
Length: 2048
Lifetime: 31536000
KSK: yes
ZSK: no
Generated: 20200307174149 (Sat Mar  7 17:41:49 2020)
Published: 20200307174149 (Sat Mar  7 17:41:49 2020)
Active: 20200307174149 (Sat Mar  7 17:41:49 2020)
Retired: 20210307174149 (Sun Mar  7 17:41:49 2021)
Removed: 20210308214149 (Mon Mar  8 21:41:49 2021)
PublishCDS: 20200308184649 (Sun Mar  8 18:46:49 2020)
DNSKEYChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
KRRSIGChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DSChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: omnipresent
KRRSIGState: omnipresent
DSState: hidden
GoalState: omnipresent

; This is the state of key 54528, for REDACTED.
Algorithm: 8
Length: 1024
Lifetime: 8035200
Successor: 10740
KSK: no
ZSK: yes
Generated: 20200307174138 (Sat Mar  7 17:41:38 2020)
Published: 20200307184138 (Sat Mar  7 18:41:38 2020)
Active: 20200307184138 (Sat Mar  7 18:41:38 2020)
Retired: 20200608184138 (Mon Jun  8 18:41:38 2020)
Removed: 20200618194638 (Thu Jun 18 19:46:38 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
ZRRSIGChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: hidden
ZRRSIGState: unretentive
GoalState: hidden

However, for the algorithm 15 zone also the KSK is rolled over and a lot of transitions are generated. Again the state files:

; This is the state of key 1385, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 31536000
KSK: yes
ZSK: no
Generated: 20200920175500 (Sun Sep 20 17:55:00 2020)
Published: 20200920175500 (Sun Sep 20 17:55:00 2020)
Active: 20200920175500 (Sun Sep 20 17:55:00 2020)
Retired: 20200920175500 (Sun Sep 20 17:55:00 2020)
Removed: 20200921005500 (Mon Sep 21 00:55:00 2020)
PublishCDS: 20200921190000 (Mon Sep 21 19:00:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
KRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DSChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DNSKEYState: unretentive
KRRSIGState: unretentive
DSState: hidden
GoalState: hidden

; This is the state of key 10893, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 8035200
KSK: no
ZSK: yes
Generated: 20200920175500 (Sun Sep 20 17:55:00 2020)
Published: 20200920175500 (Sun Sep 20 17:55:00 2020)
Active: 20200920175500 (Sun Sep 20 17:55:00 2020)
Retired: 20200920175500 (Sun Sep 20 17:55:00 2020)
Removed: 20200930190000 (Wed Sep 30 19:00:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
ZRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DNSKEYState: unretentive
ZRRSIGState: unretentive
GoalState: hidden

; This is the state of key 14222, for REDACTED.
Algorithm: 15
Length: 256
KSK: yes
ZSK: no
Generated: 20200223141731 (Sun Feb 23 14:17:31 2020)
Published: 20200223141731 (Sun Feb 23 14:17:31 2020)
Active: 20200223141731 (Sun Feb 23 14:17:31 2020)
Retired: 20200920175000 (Sun Sep 20 17:50:00 2020)
Removed: 20200921005000 (Mon Sep 21 00:50:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
KRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DSChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: hidden
KRRSIGState: hidden
DSState: hidden
GoalState: hidden

; This is the state of key 14939, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 8035200
KSK: no
ZSK: yes
Generated: 20200920175000 (Sun Sep 20 17:50:00 2020)
Published: 20200920175000 (Sun Sep 20 17:50:00 2020)
Active: 20200920175000 (Sun Sep 20 17:50:00 2020)
Retired: 20200920175000 (Sun Sep 20 17:50:00 2020)
Removed: 20200930185500 (Wed Sep 30 18:55:00 2020)
DNSKEYChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
ZRRSIGChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: unretentive
ZRRSIGState: unretentive
GoalState: hidden

; This is the state of key 46932, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 8035200
KSK: no
ZSK: yes
Generated: 20200920175000 (Sun Sep 20 17:50:00 2020)
Published: 20200920175000 (Sun Sep 20 17:50:00 2020)
Active: 20200920175000 (Sun Sep 20 17:50:00 2020)
Retired: 20200920175500 (Sun Sep 20 17:55:00 2020)
Removed: 20200930190000 (Wed Sep 30 19:00:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
ZRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DNSKEYState: unretentive
ZRRSIGState: unretentive
GoalState: hidden

; This is the state of key 47719, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 31536000
KSK: yes
ZSK: no
Generated: 20200920175500 (Sun Sep 20 17:55:00 2020)
Published: 20200920175500 (Sun Sep 20 17:55:00 2020)
Active: 20200920175500 (Sun Sep 20 17:55:00 2020)
Retired: 20210920175500 (Mon Sep 20 17:55:00 2021)
Removed: 20210921005500 (Tue Sep 21 00:55:00 2021)
PublishCDS: 20200921190000 (Mon Sep 21 19:00:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
KRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DSChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DNSKEYState: rumoured
KRRSIGState: rumoured
DSState: hidden
GoalState: omnipresent

; This is the state of key 58697, for REDACTED.
Algorithm: 15
Length: 256
Length: 256
Lifetime: 8035200
KSK: no
ZSK: yes
Generated: 20200920175500 (Sun Sep 20 17:55:00 2020)
Published: 20200920175500 (Sun Sep 20 17:55:00 2020)
Active: 20200920175500 (Sun Sep 20 17:55:00 2020)
Retired: 20201222175500 (Tue Dec 22 17:55:00 2020)
Removed: 20210101190000 (Fri Jan  1 19:00:00 2021)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
ZRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DNSKEYState: rumoured
ZRRSIGState: rumoured
GoalState: omnipresent

; This is the state of key 59076, for REDACTED.
Algorithm: 15
Length: 256
KSK: no
ZSK: yes
Generated: 20200223141612 (Sun Feb 23 14:16:12 2020)
Published: 20200223151612 (Sun Feb 23 15:16:12 2020)
Active: 20200223151612 (Sun Feb 23 15:16:12 2020)
Retired: 20200920175000 (Sun Sep 20 17:50:00 2020)
Removed: 20200930185500 (Wed Sep 30 18:55:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
ZRRSIGChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: hidden
ZRRSIGState: unretentive
GoalState: hidden

; This is the state of key 62357, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 31536000
KSK: yes
ZSK: no
Generated: 20200920175000 (Sun Sep 20 17:50:00 2020)
Published: 20200920175000 (Sun Sep 20 17:50:00 2020)
Active: 20200920175000 (Sun Sep 20 17:50:00 2020)
Retired: 20200920175500 (Sun Sep 20 17:55:00 2020)
Removed: 20200921005500 (Mon Sep 21 00:55:00 2020)
PublishCDS: 20200921185500 (Mon Sep 21 18:55:00 2020)
DNSKEYChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
KRRSIGChange: 20200920175500 (Sun Sep 20 17:55:00 2020)
DSChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: unretentive
KRRSIGState: unretentive
DSState: hidden
GoalState: hidden

; This is the state of key 63427, for REDACTED.
Algorithm: 15
Length: 256
Lifetime: 31536000
KSK: yes
ZSK: no
Generated: 20200920175000 (Sun Sep 20 17:50:00 2020)
Published: 20200920175000 (Sun Sep 20 17:50:00 2020)
Active: 20200920175000 (Sun Sep 20 17:50:00 2020)
Retired: 20200920175000 (Sun Sep 20 17:50:00 2020)
Removed: 20200921005000 (Mon Sep 21 00:50:00 2020)
PublishCDS: 20200921185500 (Mon Sep 21 18:55:00 2020)
DNSKEYChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
KRRSIGChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DSChange: 20200920175000 (Sun Sep 20 17:50:00 2020)
DNSKEYState: unretentive
KRRSIGState: unretentive
DSState: hidden
GoalState: hidden

What is the expected correct behavior?

Algorithm 15 keys should behave in the same way as algorithm 8 keys. They should not rollover the KSK if not due and should not generate so many transitions.

Relevant configuration files

See attached policy configuration.

Relevant logs and/or screenshots

The DNSSEC portion of the log is attached in dnssec.log. On my setup I have 4 zones. Two have keys with algorithm 8 and two have keys with algorithm 15. In reality those are domains with TLDs .at (15), .eu (15), .com (8), .de (8). All zones have an internal and an external view. I redacted the real domain names and named them zone-algo-15-01/02 and zone-algo-8-01/02 respectively.

Additional question

Bind told me that option 'parent-registration-delay' is obsolete and should be removed. Why is that because I found that a useful option. In this case here I had to quickly update the DS at the registries since KSKs were rolled over. Is there a replacement or how is the need for manual intervention handled here?

Edited by Michael Glanznig
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information