dnssec-policy publish dynamic zone without NSEC3 despite policy
Summary
History: I had a problem with dynamic zones (migrated from dnssec-keymgr) on a server with RRs which stopped being validated properly but the logs did not go far enough to find the origin of the problem. On one zone that I could not fix with dnssec-signzone I decided to recreate it from scratch.
All seemed to go well, the checkds went well, and RRSIGs are published but NSEC3 are not and the zone is not secure.
BIND version used
BIND 9.16.11-Debian (Stable Release) <id:9ff601b>
running on Linux x86_64 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24)
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-DpdRXh/bind9-9.16.11=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 8.3.0
compiled with OpenSSL version: OpenSSL 1.1.1d 10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.1d 10 Sep 2019
compiled with libuv version: 1.24.1
linked to libuv version: 1.24.1
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
compiled with json-c version: 0.12.1
linked to json-c version: 0.12.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.3.2
compiled with protobuf-c version: 1.3.1
linked to protobuf-c version: 1.3.1
threads support is enabled
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
DNSSEC root key: /etc/bind/bind.keys
nsupdate session key: //run/named/session.key
named PID file: //run/named/named.pid
named lock file: //run/named/named.lock
geoip-directory: /usr/share/GeoIP
Steps to reproduce
- After stopping bind I removed everything about the old zone, journals, keys and so on
- I recreated a basic zone with just a handful of RRs I need (SOA, 3 NS, 3 TLSA entries), nothing related to DNSSEC
- I defined the zone with the dnssec-policy I us for all my zones and works fine for non-dynamic zones so far
- started bind
- waited for CDS to be published
- rndc dnssec -checkds -key 32826 published _kage.duckcorp.org
- waited for the status to all switch to omnipresent
- used dig and also delv to check the zone
What is the current bug behavior?
delv +rtrace +dnssec @ns1.duckcorp.org SOA _kage.duckcorp.org
;; fetch: ns1.duckcorp.org/A
;; fetch: ns1.duckcorp.org/AAAA
;; fetch: ns1.duckcorp.org.hq.duckcorp.org/A
;; fetch: ns1.duckcorp.org.hq.duckcorp.org/AAAA
;; fetch: ns1.duckcorp.org.duckcorp.org/A
;; fetch: ns1.duckcorp.org.duckcorp.org/AAAA
;; fetch: _kage.duckcorp.org/SOA
;; fetch: org/DS
;; fetch: ./DNSKEY
;; fetch: duckcorp.org/DS
;; fetch: org/DNSKEY
;; fetch: _kage.duckcorp.org/DS
;; fetch: duckcorp.org/DNSKEY
;; insecurity proof failed resolving '_kage.duckcorp.org/SOA/IN': 2001:67c:1740:9016::c111:c0d3#53
;; validating _kage.duckcorp.org/SOA: got insecure response; parent indicates it should be secure
;; insecurity proof failed resolving '_kage.duckcorp.org/SOA/IN': 193.200.43.105#53
;; resolution failed: insecurity proof failed
Confirmed by dnsviz: https://dnsviz.net/d/_kage.duckcorp.org/dnssec/
Even after rndc sync -clean _kage.duckcorp.org
there is no NSEC3 (or even NSEC) RRs, and no NSEC3PARAM in the zone file.
What is the expected correct behavior?
I expected the NSEC3PARAM RR to be added in the zone according to policy and then NSEC3 RRs to be generated.
Relevant configuration files
The zone:
zone "_kage.duckcorp.org" IN {
type master;
allow-transfer { key duckcorp-internal; };
update-policy { <many-grants> };
file "/var/cache/bind/masters/_kage.duckcorp.org.zone";
dnssec-policy "generated";
};
And the policy:
dnssec-policy "generated" {
keys {
ksk key-directory lifetime P1Y algorithm rsasha512 4096;
zsk key-directory lifetime 30d algorithm rsasha512 2048;
};
max-zone-ttl PT1H;
nsec3param iterations 5 optout no salt-length 8;
};
Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code, as it's very hard to read otherwise.)
# rndc dnssec -status _kage.duckcorp.org
dnssec-policy: generated
current time: Sun Mar 28 17:24:17 2021
key: 32826 (RSASHA512), KSK
published: yes - since Sat Mar 27 08:56:19 2021
key signing: yes - since Sat Mar 27 08:56:19 2021
Next rollover scheduled on Sun Mar 27 07:51:19 2022
- goal: omnipresent
- dnskey: omnipresent
- ds: omnipresent
- key rrsig: omnipresent
key: 63491 (RSASHA512), ZSK
published: yes - since Sat Mar 27 08:56:19 2021
zone signing: yes - since Sat Mar 27 08:56:19 2021
Next rollover scheduled on Mon Apr 26 07:51:19 2021
- goal: omnipresent
- dnskey: omnipresent
- zone rrsig: omnipresent
But the zone is not considered secure for some reason:
# rndc zonestatus _kage.duckcorp.org
name: _kage.duckcorp.org
type: master
files: /var/cache/bind/masters/_kage.duckcorp.org.zone
serial: 10056
nodes: 5
last loaded: Sat, 27 Mar 2021 10:15:37 GMT
secure: no
key maintenance: automatic
next key event: Mon, 26 Apr 2021 05:51:19 GMT
dynamic: yes
frozen: no
reconfigurable via modzone: no
27-Mar-2021 08:56:19.477 dnssec: info: zone _kage.duckcorp.org/IN: reconfiguring zone keys
27-Mar-2021 08:56:21.241 dnssec: info: keymgr: DNSKEY _kage.duckcorp.org/RSASHA512/32826 (KSK) created for policy generated
27-Mar-2021 08:56:21.473 dnssec: info: keymgr: DNSKEY _kage.duckcorp.org/RSASHA512/63491 (ZSK) created for policy generated
27-Mar-2021 08:56:21.473 dnssec: info: Fetching _kage.duckcorp.org/RSASHA512/32826 (KSK) from key repository.
27-Mar-2021 08:56:21.473 dnssec: info: DNSKEY _kage.duckcorp.org/RSASHA512/32826 (KSK) is now published
27-Mar-2021 08:56:21.473 dnssec: info: DNSKEY _kage.duckcorp.org/RSASHA512/32826 (KSK) is now active
27-Mar-2021 08:56:21.473 dnssec: info: Fetching _kage.duckcorp.org/RSASHA512/63491 (ZSK) from key repository.
27-Mar-2021 08:56:21.473 dnssec: info: DNSKEY _kage.duckcorp.org/RSASHA512/63491 (ZSK) is now published
27-Mar-2021 08:56:21.473 dnssec: info: DNSKEY _kage.duckcorp.org/RSASHA512/63491 (ZSK) is now active
27-Mar-2021 08:56:21.553 dnssec: info: zone _kage.duckcorp.org/IN: next key event: 27-Mar-2021 11:01:19.477
27-Mar-2021 11:01:19.480 dnssec: info: zone _kage.duckcorp.org/IN: reconfiguring zone keys
27-Mar-2021 11:01:19.580 dnssec: info: zone _kage.duckcorp.org/IN: next key event: 27-Mar-2021 12:01:19.480
27-Mar-2021 12:01:19.483 dnssec: info: zone _kage.duckcorp.org/IN: reconfiguring zone keys
27-Mar-2021 12:01:19.483 dnssec: info: zone _kage.duckcorp.org/IN: next key event: 28-Mar-2021 14:28:24.483
28-Mar-2021 06:12:18.696 dnssec: info: zone _kage.duckcorp.org/IN: reconfiguring zone keys
28-Mar-2021 06:12:18.756 dnssec: info: zone _kage.duckcorp.org/IN: next key event: 28-Mar-2021 14:28:24.696
28-Mar-2021 14:28:24.697 dnssec: info: zone _kage.duckcorp.org/IN: reconfiguring zone keys
28-Mar-2021 14:28:24.737 dnssec: info: zone _kage.duckcorp.org/IN: next key event: 26-Apr-2021 07:51:19.697
Possible fixes
I have no idea how to fix this problem. I suppose the NSEC3PARAM RR is not created in dynamic zones for some reason and then NSEC3 RRs are never created. Maybe inserting it manually would solve the problem but I have not tried this yet.