Skip to content

inline-signing and auto-dnssec migration to dnssec-policy fails

Summary

After update bind from 9.18.9 to 9.18.10 I got messages:

option 'auto-dnssec' is deprecated
'auto-dnssec' option is deprecated and will be removed in BIND 9.19. Please migrate to dnssec-policy

Tried to migrate from auto-dnssec to dnssec-policy using https://kb.isc.org/docs/dnssec-key-and-signing-policy, but zone "stop work".

BIND version used

BIND 9.18.10 (Stable Release) <id:>
running on FreeBSD amd64 13.1-RELEASE-p2 FreeBSD 13.1-RELEASE-p2 GENERIC
built by make with  '--disable-linux-caps' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' '--with-openssl=/usr' '--enable-dnsrps' '--with-readline=libedit' '--disable-dnstap' '--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' '--without-gssapi' '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-querytrace' '--enable-tcp-fastopen' '--prefix=/usr/local' '--mandir=/usr/local/man' '--disable-silent-rules' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd13.1' 'build_alias=amd64-portbld-freebsd13.1' 'CC=cc' 'CFLAGS=-O2 -pipe -march=nehalem  -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c  -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf' 'PKG_CONFIG_LIBDIR=/tmp/work/usr/ports/dns/bind918/work/.pkgconfig:/usr/local/libdata/pkgconfig:/usr/local/share/pkgconfig:/usr/libdata/pkgconfig' 'READLINE_CFLAGS=-L/usr/local/lib'
compiled by CLANG FreeBSD Clang 13.0.0 (git@github.com:llvm/llvm-project.git llvmorg-13.0.0-0-gd7b669b3a303)
compiled with OpenSSL version: OpenSSL 1.1.1o-freebsd  3 May 2022
linked to OpenSSL version: OpenSSL 1.1.1o-freebsd  3 May 2022
compiled with libuv version: 1.44.2
linked to libuv version: 1.44.2
compiled with libnghttp2 version: 1.48.0
linked to libnghttp2 version: 1.48.0
compiled with libxml2 version: 2.10.3
linked to libxml2 version: 21003
compiled with json-c version: 0.16
linked to json-c version: 0.16
compiled with zlib version: 1.2.12
linked to zlib version: 1.2.12
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): no

default paths:
  named configuration:  /usr/local/etc/namedb/named.conf
  rndc configuration:   /usr/local/etc/namedb/rndc.conf
  DNSSEC root key:      /usr/local/etc/namedb/bind.keys
  nsupdate session key: /var/run/named/session.key
  named PID file:       /var/run/named/pid
  named lock file:      /var/run/named/named.lock

Steps to reproduce

Tried to migrate to dnssec-policy:

  1. Change permissions for keys (chown -R bind /usr/local/etc/namedb/dnssec), replace auto-dnssec maintain with dnssec-policy default, restart named.
  2. Keys for this domain in dnssec changed, drill my.domain @8.8.8.8 show nothing, but drill my.domain @127.0.0.1 show correct records.
  3. Got drill -t DNSKEY my.domain @127.0.0.1 and drill -t DS my.domain @127.0.0.1.
  4. Then restore configs from backup, restart named.
  5. drill my.domain @8.8.8.8 show correct records.
  6. Got drill -t DNSKEY my.domain @8.8.8.8 and drill -t DS my.domain @8.8.8.8 - records are same as before on step 3.

What is the current bug behavior?

drill my.domain @8.8.8.8 is empty, but drill my.domain @127.0.0.1 print correct records.

What is the expected correct behavior?

drill my.domain @8.8.8.8 and drill my.domain @127.0.0.1 print correct records.

Relevant configuration files

Files for my.domain from /usr/local/etc/namedb/dnssec:

dsset-my.domain.:

my.domain.           IN DS ${ID1} 13 2 <X1> <X2>

Kmy.domain.+013+${ID1}.key:

; This is a key-signing key, keyid ${ID1}, for my.domain.
; Created: 20200401100731 (Wed Apr  1 13:07:31 2020)
; Publish: 20200401100731 (Wed Apr  1 13:07:31 2020)
; Activate: 20200401100731 (Wed Apr  1 13:07:31 2020)
my.domain. IN DNSKEY 257 3 13 <X3>

Kmy.domain.+013+${ID1}.private:

Private-key-format: v1.3
Algorithm: 13 (ECDSAP256SHA256)
PrivateKey: <X4>
Created: 20200401100731
Publish: 20200401100731
Activate: 20200401100731

Kmy.domain.+013+${ID2}.key:

; This is a zone-signing key, keyid ${ID2}, for my.domain.
; Created: 20200401100817 (Wed Apr  1 13:08:17 2020)
; Publish: 20200401100817 (Wed Apr  1 13:08:17 2020)
; Activate: 20200401100817 (Wed Apr  1 13:08:17 2020)
my.domain. IN DNSKEY 256 3 13 <X5>

Kmy.domain.+013+${ID2}.private:

Private-key-format: v1.3
Algorithm: 13 (ECDSAP256SHA256)
PrivateKey: <X6>
Created: 20200401100817
Publish: 20200401100817
Activate: 20200401100817

Part of config for my.domain:

        type primary;
        file "/usr/local/etc/namedb/dynamic/my.domain";
        inline-signing yes;
        dnssec-policy default;
//      auto-dnssec maintain;
        allow-transfer {
                "dns-servers";
        };
        allow-query { 0/0; };
        also-notify {
                "dns-notify";
        };
};

After replace auto-dnssec maintain with dnssec-policy default and restart named, keys was changed:

  1. In all *.key and *.private files added lines like this:
Inactive: 20230104183402
Delete: 20230105203402
  1. Added files *.states for all keys.
  2. Added files Kmy.domain.+013+${ID3}.{state|key|private}.

named-checkconf -px is too long:

named-checkconf -px|wc -l
    1799

But I can post parts by request.

Relevant logs and/or screenshots

04-Jan-2023 21:34:02.060 zoneload: info: zone my.domain/IN/external (unsigned): loaded serial 2023010403
04-Jan-2023 21:34:02.064 zoneload: info: zone my.domain/IN/external (signed): loaded serial 2020049912 (DNSSEC signed)
04-Jan-2023 21:34:02.064 general: info: zone my.domain/IN/external (signed): receive_secure_serial: unchanged
04-Jan-2023 21:34:02.064 dnssec: info: zone my.domain/IN/external (signed): reconfiguring zone keys
04-Jan-2023 21:34:02.071 dnssec: info: keymgr: retire DNSKEY my.domain/ECDSAP256SHA256/${ID1} (KSK)
04-Jan-2023 21:34:02.071 dnssec: info: keymgr: retire DNSKEY my.domain/ECDSAP256SHA256/${ID2} (ZSK)
04-Jan-2023 21:34:02.071 dnssec: info: keymgr: DNSKEY my.domain/ECDSAP256SHA256/${ID3} (CSK) created for policy default
04-Jan-2023 21:34:02.072 dnssec: info: DNSKEY my.domain/ECDSAP256SHA256/${ID1} (KSK) is now deleted
04-Jan-2023 21:34:02.073 dnssec: info: DNSKEY my.domain/ECDSAP256SHA256/${ID2} (ZSK) is now deleted
04-Jan-2023 21:34:02.073 dnssec: info: Fetching my.domain/ECDSAP256SHA256/${ID3} (CSK) from key repository.
04-Jan-2023 21:34:02.073 dnssec: info: DNSKEY my.domain/ECDSAP256SHA256/${ID3} (CSK) is now published
04-Jan-2023 21:34:02.073 dnssec: info: DNSKEY my.domain/ECDSAP256SHA256/${ID3} (CSK) is now active
04-Jan-2023 21:34:02.075 dnssec: info: zone my.domain/IN/external (signed): next key event: 04-Jan-2023 21:39:02.064
04-Jan-2023 21:34:02.340 zoneload: info: zone my.domain/IN/internal: loaded serial 2020049909 (DNSSEC signed)

Possible fixes

Probably I need correct configuration and maybe more clear and simple migration guide (this one is very long and hard to understand for not native speakers: https://kb.isc.org/docs/dnssec-key-and-signing-policy).

Thanks!

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information