Skip to content
GitLab
Closed
Issue created by Marc Dequènes (Duck)@duck-rh

Bind 9.16.8 reuses old keys

Summary

I switched from 9.11.5.P4 to 9.16.8 and from dnssec-keymgr to dnssec-policy. dnssec-keymgr did not remove old keys and Bind now just revived them all without caring for the old state.

BIND version used

BIND 9.16.8-Debian (Stable Release) <id:539f9f0>
running on Linux x86_64 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28)
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-Pv1hAF/bind9-9.16.8=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 8.3.0
compiled with OpenSSL version: OpenSSL 1.1.1d  10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.1d  10 Sep 2019
compiled with libuv version: 1.24.1
linked to libuv version: 1.24.1
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
compiled with json-c version: 0.12.1
linked to json-c version: 0.12.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.3.2
compiled with protobuf-c version: 1.3.1
linked to protobuf-c version: 1.3.1
threads support is enabled

default paths:
  named configuration:  /etc/bind/named.conf
  rndc configuration:   /etc/bind/rndc.conf
  DNSSEC root key:      /etc/bind/bind.keys
  nsupdate session key: //run/named/session.key
  named PID file:       //run/named/named.pid
  named lock file:      //run/named/named.lock
  geoip-directory:      /usr/share/GeoIP

Steps to reproduce

Switch from dnssec-keymgr based management to dnssec-policy. You also need to have old keys around. dnssec-keymgr lacked cleanup management so they stayed around.

What is the current bug behavior?

Here is an example zone: https://dnsviz.net/d/_kage.duckcorp.org/dnssec/ You can have a look at the previous state. As you can see that's a bit of a mess. I also wonder if Bind is gonna inactive old keys again by itself or if I have to do that myself.

What is the expected correct behavior?

IMHO it would help to have a proper upgrade path from dnssec-keymgr to dnssec-policy. That means reading the .key files (created by dnssec-keymgr) and at least the Inactive field in order to ignore keys that are not relevant.

Relevant configuration files

The configuration with dnssec-keymgr:

zone "hq.duckcorp.org" IN {
        type master;
        allow-transfer { key duckcorp-internal; };
        also-notify { duckland_ns2; };
        file "/var/cache/bind/masters/hq.duckcorp.org.zone";
        inline-signing yes;
        auto-dnssec maintain;
}

with /etc/bind/dnssec-policy.conf:

policy default {
        algorithm RSASHA512;
        keyttl 3600;
        key-size ksk 4096;
        key-size zsk 2048;
        roll-period ksk 1y;
        roll-period zsk 3mo;
        pre-publish ksk 1mo;
        pre-publish zsk 1mo;
        post-publish ksk 1mo;
        post-publish zsk 1mo;
        standby ksk 0;
        standby zsk 0;
        coverage 1y;
};

And now:

zone "hq.duckcorp.org" IN {
        type master;
        allow-transfer { key duckcorp-internal; };
        also-notify { duckland_ns2; };
        file "/var/cache/bind/masters/hq.duckcorp.org.zone";
        dnssec-policy "generated";
}

dnssec-policy "generated" {
    keys {
        ksk key-directory lifetime P1Y algorithm rsasha512 4096;
        zsk key-directory lifetime 30d algorithm rsasha512 2048;
    };
    max-zone-ttl PT1H;
};

Example of key header for one of the obsolete keys K_kage.hq.duckcorp.org.+010+57716.key:

; This is a zone-signing key, keyid 57716, for _kage.hq.duckcorp.org.
; Created: 20190927153144 (Sat Sep 28 00:31:44 2019)
; Publish: 20200224153144 (Tue Feb 25 00:31:44 2020)
; Activate: 20200325153144 (Thu Mar 26 00:31:44 2020)
; Inactive: 20200623153144 (Wed Jun 24 00:31:44 2020)
; Delete: 20200723153144 (Fri Jul 24 00:31:44 2020)

And the corresponding rndc dnssec -status for it:

key: 57716 (RSASHA512), ZSK
  published:      yes - since Tue Feb 25 00:31:44 2020
  zone signing:   yes - since Thu Mar 26 00:31:44 2020

  Rollover is due since Wed Jun 24 00:31:44 2020
  - dnskey:         omnipresent
  - zone rrsig:     omnipresent

Interestingly some are in other states like:

key: 36878 (RSASHA512), ZSK
  published:      no  - scheduled Fri Feb 19 00:31:44 2021
  zone signing:   no  - scheduled Sun Mar 21 00:31:44 2021

  Key will retire on Sat Jun 19 00:31:44 2021
  - dnskey:         hidden
  - zone rrsig:     hidden

or

key: 49415 (RSASHA512), ZSK
  published:      no
  zone signing:   no

  Key has been removed from the zone
  - goal:           hidden
  - dnskey:         hidden
  - zone rrsig:     unretentive

Regards. \_o<