Skip to content

inline-signing and auto-dnssec migration to dnssec-policy fails for zone with CSK

Summary

The zone dyn-acme.switch.ch was configured with "inline-signing" and "auto-dnssec" with a CSK. Changing to a "dnssec-policy" with the same algorithm and again a CSK failed to recognize the existing CSK. The existing CSK (KSK) was ignored and hidden and a new CSK was created after a reload of named. The published zone contained only the new CSK leading to DNSSEC validation errors.

BIND version used

BIND 9.16.19

Steps to reproduce

Old zone configuration:

zone "dyn-acme.switch.ch" {
  type master;
  file "dynamic/dyn-acme.switch.ch";
  update-check-ksk no; // CSK
  key-directory "/etc/bind/inline-signing-keys";
  auto-dnssec maintain;
  inline-signing yes;
};

New zone configuration:

zone "dyn-acme.switch.ch" {
  type master;
  file "dynamic/dyn-acme.switch.ch";
  key-directory "/etc/bind/inline-signing-keys";
  dnssec-policy "switch-default";
};
dnssec-policy "switch-default" {
    keys { csk key-directory lifetime unlimited algorithm 13; };
};

After a reload of named the existing CSK got the following state file:

Kdyn-acme.switch.ch.+013+61215.state 
; This is the state of key 61215, for dyn-acme.switch.ch.
Algorithm: 13
Length: 256
KSK: yes
ZSK: no
Generated: 20191211143721 (Wed Dec 11 15:37:21 2019)
Published: 20191211143721 (Wed Dec 11 15:37:21 2019)
Active: 20191211143721 (Wed Dec 11 15:37:21 2019)
Retired: 20210810090712 (Tue Aug 10 11:07:12 2021)
Removed: 20210811110712 (Wed Aug 11 13:07:12 2021)
DNSKEYChange: 20210810091212 (Tue Aug 10 11:12:12 2021)
KRRSIGChange: 20210810091212 (Tue Aug 10 11:12:12 2021)
DSChange: 20210810090712 (Tue Aug 10 11:07:12 2021)
DNSKEYState: hidden
KRRSIGState: hidden
DSState: hidden
GoalState: hidden

The zone was immediately resigned with a new CSK, this new CSK state file looked as follow:

Kdyn-acme.switch.ch.+013+25592.state 
; This is the state of key 25592, for dyn-acme.switch.ch.
Algorithm: 13
Length: 256
Lifetime: 0
KSK: yes
ZSK: yes
Generated: 20210810090712 (Tue Aug 10 11:07:12 2021)
Published: 20210810090712 (Tue Aug 10 11:07:12 2021)
Active: 20210810090712 (Tue Aug 10 11:07:12 2021)
PublishCDS: 20210811101212 (Wed Aug 11 12:12:12 2021)
DNSKEYChange: 20210810090712 (Tue Aug 10 11:07:12 2021)
ZRRSIGChange: 20210810090712 (Tue Aug 10 11:07:12 2021)
KRRSIGChange: 20210810090712 (Tue Aug 10 11:07:12 2021)
DSChange: 20210810090712 (Tue Aug 10 11:07:12 2021)
DNSKEYState: rumoured
ZRRSIGState: rumoured
KRRSIGState: rumoured
DSState: hidden
GoalState: omnipresent

What is the current bug behavior?

The previous CSK was not recognized as a CSK and ignored.

What is the expected correct behavior?

Given that I removed the zone configuration which hints that the zone was using a CSK I think there is no way named can know that the old KSK was being used as a CSK. Maybe document a migration scenario in https://kb.isc.org/docs/dnssec-key-and-signing-policy ?

Relevant logs and/or screenshots

named log during reload

10-Aug-2021 11:07:11.843 general: info: received control channel command 'reload'
10-Aug-2021 11:07:11.843 general: info: loading configuration from '/etc/bind/named.conf'
10-Aug-2021 11:07:11.898 general: info: unable to open '/etc/bind.keys'; using built-in keys instead
10-Aug-2021 11:07:11.899 general: info: using default UDP/IPv4 port range: [32768, 60999]
10-Aug-2021 11:07:11.899 general: info: using default UDP/IPv6 port range: [32768, 60999]
10-Aug-2021 11:07:11.948 general: info: sizing zone task pool based on 129 zones
10-Aug-2021 11:07:11.958 general: info: zone dyn-acme.switch.ch/IN (signed): (primary) removed
10-Aug-2021 11:07:11.959 general: info: reloading configuration succeeded
10-Aug-2021 11:07:12.055 general: info: reloading zones succeeded
10-Aug-2021 11:07:12.075 notify: info: zone dyn-acme.switch.ch/IN: sending notifies (serial 1610010728)
10-Aug-2021 11:07:12.075 dnssec: info: zone dyn-acme.switch.ch/IN: reconfiguring zone keys
10-Aug-2021 11:07:12.077 dnssec: error: zone dyn-acme.switch.ch/IN: zone_rekey:dns_zone_getdnsseckeys failed: not found
10-Aug-2021 11:07:12.077 dnssec: info: keymgr: retire DNSKEY dyn-acme.switch.ch/ECDSAP256SHA256/61215 (KSK)
10-Aug-2021 11:07:12.077 dnssec: info: keymgr: DNSKEY dyn-acme.switch.ch/ECDSAP256SHA256/25592 (CSK) created for policy switch-default
10-Aug-2021 11:07:12.083 dnssec: info: Fetching dyn-acme.switch.ch/ECDSAP256SHA256/25592 (CSK) from key repository.
10-Aug-2021 11:07:12.084 dnssec: info: DNSKEY dyn-acme.switch.ch/ECDSAP256SHA256/25592 (CSK) is now published
10-Aug-2021 11:07:12.084 dnssec: info: DNSKEY dyn-acme.switch.ch/ECDSAP256SHA256/25592 (CSK) is now active
10-Aug-2021 11:07:12.087 dnssec: info: zone dyn-acme.switch.ch/IN: next key event: 10-Aug-2021 11:12:12.075
10-Aug-2021 11:07:12.092 general: notice: all zones loaded
10-Aug-2021 11:07:12.092 general: notice: running
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information