rndc modzone to change dnssec-policy retire existing keys immediately
Summary
Changing dnssec-policy using rndc modzone for existing signed zone causes keymgr to retire existing keys. I have bind configured with "allow-new-zones yes;" so I could add, delete, modify zone using rndc. Also configured bind with 2 dnssec-policy: rsasha256 and ecdsap256. I'm hoping this should allow me to do algorithm rollover by changing dnssec-policy using rndc modzone. The following command immediately retire existing DNSKEY and create a new one.
rndc modzone example.com. '{ type slave; masters { 192.168.0.53; }; dnssec-policy ecdsap256; file "data/example.com"; };'
Tested version
- BIND-9.16.11 (Stable Release)
- BIND 9.16.12 (Stable Release)
Steps to reproduce
-
Configure bind with "allow-new-zones yes;" and two dnssec-policy with different algorithm. This will allow rndc addzone to add zone and rndc modzone to change dnssec-policy of existing zone. I also configured logging with dnssec category.
-
Load the zone with dnssec-policy:
rndc addzone example.com. '{ type slave; masters { 192.168.0.53; }; dnssec-policy rsasha256; file "data/example.com"; };'
dnssec log result:
09-Mar-2021 16:06:10.627 dnssec: info: zone example.com/IN (signed): generated salt: CB4EAB14FFF8A6D4731D94FD2EC9DFD8
09-Mar-2021 16:06:10.634 dnssec: info: zone example.com/IN (signed): reconfiguring zone keys
09-Mar-2021 16:06:10.700 dnssec: info: keymgr: DNSKEY example.com/RSASHA256/25870 (KSK) created for policy rsasha256
09-Mar-2021 16:06:10.749 dnssec: info: keymgr: DNSKEY example.com/RSASHA256/54564 (ZSK) created for policy rsasha256
09-Mar-2021 16:06:10.750 dnssec: info: Fetching example.com/RSASHA256/25870 (KSK) from key repository.
09-Mar-2021 16:06:10.750 dnssec: info: DNSKEY example.com/RSASHA256/25870 (KSK) is now published
09-Mar-2021 16:06:10.750 dnssec: info: DNSKEY example.com/RSASHA256/25870 (KSK) is now active
09-Mar-2021 16:06:10.750 dnssec: info: Fetching example.com/RSASHA256/54564 (ZSK) from key repository.
09-Mar-2021 16:06:10.750 dnssec: info: DNSKEY example.com/RSASHA256/54564 (ZSK) is now published
09-Mar-2021 16:06:10.750 dnssec: info: DNSKEY example.com/RSASHA256/54564 (ZSK) is now active
09-Mar-2021 16:06:10.765 dnssec: info: zone example.com/IN (signed): zone_addnsec3chain(1,INITIAL|CREATE,5,CB4EAB14FFF8A6D4731D94FD2EC9DFD8)
09-Mar-2021 16:06:10.765 dnssec: info: zone example.com/IN (signed): next key event: 09-Mar-2021 18:11:10.634
- Check that both KSK & ZSK are RSASHA256 (Algorithm 8)
dig dnskey example.com. @localhost +multiline
;; ANSWER SECTION:
example.com. 3600 IN DNSKEY 257 3 8 (
AwEAAbPGinhOiZq3JyeUWyGF3DxjXtQqoBjQeWzoyhSJ
ZtrqVLkz6ocoQ3y6trcjGN2f7YTSWNPIffwdZ69XHmyV
QvUkJYCCrskiP6RzhZffU9AMP1GR1k5QXWX+/RMOCJta
yasvdQo/2gbplzz78nLmXRzhnSzl1GSNGeG9orGtdbyo
89uPP+SJv13zB5rR7mxIj78bl3eVV0bdWf4G4okBE64M
2NJqG0tJwpI2XFysEkNT0JtLPjtiKgK4dFUzxuc5Cq4W
258611VoGWXlqSwBI03UABwLrzO7q4R0oijEtNjWlSNw
vohw/EGkJcTARofVFFo9Aar0AoP3YzjbdA4r+Ls=
) ; KSK; alg = RSASHA256 ; key id = 41266
example.com. 3600 IN DNSKEY 256 3 8 (
AwEAAd0OQXZ//c6Msr1FVK9qJ8QSUehOETVgPmslvrfv
J94LwS9VAgJAE/mZfJdq/OJwcD6uvwycmfpuOjCpr5OL
k/eVAoVcIRBX2NGnhANPIqDo6n9VzqCeNcxX3tJt6uW4
JDxN2GLgaJ7mQAaQr8LIOTe+YLqbVs1s43YaDVfEfLxd
xh0sUS+HErTAt/7DVPV+nkgf2S8yuwdHniVDFfGOgGbp
t42OlVJaqHo7lj6boAZRaIPTX+aoGKuOz4EhXnRwqmwK
/Y9W9NIkT0H0MHSlfcM0B3KtRBwJ+jD3XM7hu8mm4XBU
cFArX/Od/wP3VCB4CNArtoZS4/agMFIEEBIVMhc=
) ; ZSK; alg = RSASHA256 ; key id = 44445
- Change the zone dnssec-policy using rndc modzone
rndc modzone example.com. '{ type slave; masters { 192.168.0.53; }; dnssec-policy ecdsap256; file "data/example.com"; };'
dnssec log result:
09-Mar-2021 16:07:48.458 dnssec: info: keymgr: retire DNSKEY example.com/RSASHA256/25870 (KSK)
09-Mar-2021 16:07:48.458 dnssec: info: keymgr: retire DNSKEY example.com/RSASHA256/54564 (ZSK)
09-Mar-2021 16:07:48.458 dnssec: info: keymgr: DNSKEY exampl.com/ECDSAP256SHA256/23518 (KSK) created for policy ecdsap256
09-Mar-2021 16:07:48.458 dnssec: info: keymgr: DNSKEY example.com/ECDSAP256SHA256/12118 (ZSK) created for policy ecdsap256
09-Mar-2021 16:07:48.459 dnssec: info: Removing expired key 25870/RSASHA256 from DNSKEY RRset.
09-Mar-2021 16:07:48.459 dnssec: info: DNSKEY example.com/RSASHA256/25870 (KSK) is now deleted
09-Mar-2021 16:07:48.459 dnssec: info: Removing expired key 54564/RSASHA256 from DNSKEY RRset.
09-Mar-2021 16:07:48.459 dnssec: info: DNSKEY example.com/RSASHA256/54564 (ZSK) is now deleted
09-Mar-2021 16:07:48.459 dnssec: info: Fetching example.com/ECDSAP256SHA256/23518 (KSK) from key repository.
09-Mar-2021 16:07:48.459 dnssec: info: DNSKEY example.com/ECDSAP256SHA256/23518 (KSK) is now published
09-Mar-2021 16:07:48.459 dnssec: info: DNSKEY example.com/ECDSAP256SHA256/23518 (KSK) is now active
09-Mar-2021 16:07:48.459 dnssec: info: Fetching example.com/ECDSAP256SHA256/12118 (ZSK) from key repository.
09-Mar-2021 16:07:48.459 dnssec: info: DNSKEY example.com/ECDSAP256SHA256/12118 (ZSK) is now published
09-Mar-2021 16:07:48.459 dnssec: info: DNSKEY example.com/ECDSAP256SHA256/12118 (ZSK) is now active
- Check both KSK & ZSK are now both ECDSHAP256 (algorithm 13) and no more RSASHA256 DNSKEY
dig dnskey example.com. @localhost +multiline
;; ANSWER SECTION:
example.com. 3600 IN DNSKEY 256 3 13 (
bn2PN0mWvMhjgDiVCnO/dDwPS8JaK6Cas5vBI6D7gds8
PXlMeTSJRQSVcyM1OuZIo/V5JIFiQUiiME1IBD+TNw==
) ; ZSK; alg = ECDSAP256SHA256 ; key id = 14912
example.com. 3600 IN DNSKEY 257 3 13 (
u6dqheaPjAhwSzuVrroi9na4L4biKfUQDBWRfsjcDyfz
EkPvHIoOZ/DM+FQynz+vyrZ7HnG6fCk9jtz/cmB8vw==
) ; KSK; alg = ECDSAP256SHA256 ; key id = 2113
What is the current bug behavior?
Using rndc modzone to change zone dnssec-policy retire existing keys immidiately.
rndc modzone example.com. '{ type slave; masters { 192.168.0.53; }; dnssec-policy ecdsap256; file "data/example.com"; };'
(What actually happens.)
The initial RSASHA256 DNSKEYs were retired immediately and were replaced by ECDSAP256 after running "rndc modzone example.com" with another dnssec-policy containing ECDSAP256 algorithm.
What is the expected correct behavior?
If algoritm rollover is supported with dnssec-policy, existing RSHASHA256 keys and ECDSAP256 keys should be visible.
The following command should show 4 DNSKEY. There should be 2 DNSKEY with algorithm 8 and 2 DNSKEY with algorithm 13.
dig dnskey example.com. @localhost +multiline
;; ANSWER SECTION:
example.com. 3600 IN DNSKEY 257 3 8 (
AwEAAbPGinhOiZq3JyeUWyGF3DxjXtQqoBjQeWzoyhSJ
ZtrqVLkz6ocoQ3y6trcjGN2f7YTSWNPIffwdZ69XHmyV
QvUkJYCCrskiP6RzhZffU9AMP1GR1k5QXWX+/RMOCJta
yasvdQo/2gbplzz78nLmXRzhnSzl1GSNGeG9orGtdbyo
89uPP+SJv13zB5rR7mxIj78bl3eVV0bdWf4G4okBE64M
2NJqG0tJwpI2XFysEkNT0JtLPjtiKgK4dFUzxuc5Cq4W
258611VoGWXlqSwBI03UABwLrzO7q4R0oijEtNjWlSNw
vohw/EGkJcTARofVFFo9Aar0AoP3YzjbdA4r+Ls=
) ; KSK; alg = RSASHA256 ; key id = 41266
example.com. 3600 IN DNSKEY 256 3 8 (
AwEAAd0OQXZ//c6Msr1FVK9qJ8QSUehOETVgPmslvrfv
J94LwS9VAgJAE/mZfJdq/OJwcD6uvwycmfpuOjCpr5OL
k/eVAoVcIRBX2NGnhANPIqDo6n9VzqCeNcxX3tJt6uW4
JDxN2GLgaJ7mQAaQr8LIOTe+YLqbVs1s43YaDVfEfLxd
xh0sUS+HErTAt/7DVPV+nkgf2S8yuwdHniVDFfGOgGbp
t42OlVJaqHo7lj6boAZRaIPTX+aoGKuOz4EhXnRwqmwK
/Y9W9NIkT0H0MHSlfcM0B3KtRBwJ+jD3XM7hu8mm4XBU
cFArX/Od/wP3VCB4CNArtoZS4/agMFIEEBIVMhc=
) ; ZSK; alg = RSASHA256 ; key id = 44445
example.com. 3600 IN DNSKEY 256 3 13 (
bn2PN0mWvMhjgDiVCnO/dDwPS8JaK6Cas5vBI6D7gds8
PXlMeTSJRQSVcyM1OuZIo/V5JIFiQUiiME1IBD+TNw==
) ; ZSK; alg = ECDSAP256SHA256 ; key id = 14912
example.com. 3600 IN DNSKEY 257 3 13 (
u6dqheaPjAhwSzuVrroi9na4L4biKfUQDBWRfsjcDyfz
EkPvHIoOZ/DM+FQynz+vyrZ7HnG6fCk9jtz/cmB8vw==
) ; KSK; alg = ECDSAP256SHA256 ; key id = 2113
Relevant configuration files
(Paste any relevant configuration files - please use code blocks (```)
to format console output. If submitting the contents of your
configuration file in a non-confidential Issue, it is advisable to
obscure key secrets: this can be done automatically by using
named-checkconf -px
.)
named.conf
options {
key-directory "/data/keys";
allow-new-zones yes;
request-ixfr yes;
ixfr-from-differences yes;
provide-ixfr yes;
};
# DNSSEC Policy ECDSA
dnssec-policy "ecdsap256" {
nsec3param iterations 5 optout no salt-length 16;
keys {
ksk key-directory lifetime P1Y algorithm 13;
zsk key-directory lifetime 60d algorithm 13;
};
// Signatures
signatures-refresh P1D;
signatures-validity P2D;
signatures-validity-dnskey P7D;
// Keys
dnskey-ttl 3600;
publish-safety PT3600S;
retire-safety PT3600S;
};
# DNSSEC Policy RSASHA2
dnssec-policy "rsasha256" {
nsec3param iterations 5 optout no salt-length 16;
keys {
ksk key-directory lifetime P1Y algorithm RSASHA256;
zsk key-directory lifetime 30d algorithm RSASHA256;
};
// Signatures
signatures-refresh P1D;
signatures-validity P7D;
signatures-validity-dnskey P14D;
// Keys
dnskey-ttl 3600;
publish-safety PT3600S;
retire-safety PT3600S;
};
Relevant logs and/or screenshots
09-Mar-2021 16:06:10.627 dnssec: info: zone example.com/IN (signed): generated salt: CB4EAB14FFF8A6D4731D94FD2EC9DFD8
09-Mar-2021 16:06:10.634 dnssec: info: zone example.com/IN (signed): reconfiguring zone keys
09-Mar-2021 16:06:10.700 dnssec: info: keymgr: DNSKEY example.com/RSASHA256/25870 (KSK) created for policy rsasha256
09-Mar-2021 16:06:10.749 dnssec: info: keymgr: DNSKEY example.com/RSASHA256/54564 (ZSK) created for policy rsasha256
09-Mar-2021 16:06:10.750 dnssec: info: Fetching example.com/RSASHA256/25870 (KSK) from key repository.
09-Mar-2021 16:06:10.750 dnssec: info: DNSKEY example.com/RSASHA256/25870 (KSK) is now published
09-Mar-2021 16:06:10.750 dnssec: info: DNSKEY example.com/RSASHA256/25870 (KSK) is now active
09-Mar-2021 16:06:10.750 dnssec: info: Fetching example.com/RSASHA256/54564 (ZSK) from key repository.
09-Mar-2021 16:06:10.750 dnssec: info: DNSKEY example.com/RSASHA256/54564 (ZSK) is now published
09-Mar-2021 16:06:10.750 dnssec: info: DNSKEY example.com/RSASHA256/54564 (ZSK) is now active
09-Mar-2021 16:06:10.765 dnssec: info: zone example.com/IN (signed): zone_addnsec3chain(1,INITIAL|CREATE,5,CB4EAB14FFF8A6D4731D94FD2EC9DFD8)
09-Mar-2021 16:06:10.765 dnssec: info: zone example.com/IN (signed): next key event: 09-Mar-2021 18:11:10.634
09-Mar-2021 16:07:48.457 dnssec: info: zone example.com/IN (signed): reconfiguring zone keys
09-Mar-2021 16:07:48.458 dnssec: info: keymgr: retire DNSKEY example.com/RSASHA256/25870 (KSK)
09-Mar-2021 16:07:48.458 dnssec: info: keymgr: retire DNSKEY example.com/RSASHA256/54564 (ZSK)
09-Mar-2021 16:07:48.458 dnssec: info: keymgr: DNSKEY example.com/ECDSAP256SHA256/23518 (KSK) created for policy ecdsap256
09-Mar-2021 16:07:48.458 dnssec: info: keymgr: DNSKEY example.com/ECDSAP256SHA256/12118 (ZSK) created for policy ecdsap256
09-Mar-2021 16:07:48.459 dnssec: info: Removing expired key 25870/RSASHA256 from DNSKEY RRset.
09-Mar-2021 16:07:48.459 dnssec: info: DNSKEY example.com/RSASHA256/25870 (KSK) is now deleted
09-Mar-2021 16:07:48.459 dnssec: info: Removing expired key 54564/RSASHA256 from DNSKEY RRset.
09-Mar-2021 16:07:48.459 dnssec: info: DNSKEY example.com/RSASHA256/54564 (ZSK) is now deleted
09-Mar-2021 16:07:48.459 dnssec: info: Fetching example.com/ECDSAP256SHA256/23518 (KSK) from key repository.
09-Mar-2021 16:07:48.459 dnssec: info: DNSKEY example.com/ECDSAP256SHA256/23518 (KSK) is now published
09-Mar-2021 16:07:48.459 dnssec: info: DNSKEY example.com/ECDSAP256SHA256/23518 (KSK) is now active
09-Mar-2021 16:07:48.459 dnssec: info: Fetching example.com/ECDSAP256SHA256/12118 (ZSK) from key repository.
09-Mar-2021 16:07:48.459 dnssec: info: DNSKEY example.com/ECDSAP256SHA256/12118 (ZSK) is now published
09-Mar-2021 16:07:48.459 dnssec: info: DNSKEY example.com/ECDSAP256SHA256/12118 (ZSK) is now active
09-Mar-2021 16:07:48.464 dnssec: info: zone example.com/IN (signed): next key event: 09-Mar-2021 17:12:48.457
Possible fixes
(If you can, link to the line of code that might be responsible for the problem.)