CDS and CDNSKEY not published
Summary
No CDS
or CDNSKEY
record is published for a key even though the SYNC Publish time has passed.
BIND version used
BIND 9.18.12-1~bpo11+1-Debian (Extended Support Version) <id:>
running on Linux x86_64 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21)
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--disable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=yes' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -ffile-prefix-map=/build/bind9-F3ZCFb/bind9-9.18.12=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 10.2.1 20210110
compiled with OpenSSL version: OpenSSL 1.1.1n 15 Mar 2022
linked to OpenSSL version: OpenSSL 1.1.1n 15 Mar 2022
compiled with libuv version: 1.40.0
linked to libuv version: 1.40.0
compiled with libnghttp2 version: 1.43.0
linked to libnghttp2 version: 1.43.0
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with json-c version: 0.15
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.5.2
compiled with protobuf-c version: 1.3.3
linked to protobuf-c version: 1.3.3
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): yes
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
DNSSEC root key: /etc/bind/bind.keys
nsupdate session key: //run/named/session.key
named PID file: //run/named/named.pid
named lock file: //run/named/named.lock
geoip-directory: /usr/share/GeoIP
Steps to reproduce
Switch a zone from dnssec-policy legacy
to dnssec-policy standard
(shown below).
What is the current bug behavior?
While the new key appears in the DNSKEY
RRset, it does not appear in CDS
or CDNSKEY
.
What is the expected correct behavior?
The key should appear in the CDS
and CDNSKEY
RRsets, so that the parent could pick it up and insert the corresponding DS
.
Relevant configuration files
dnssec-policy "legacy" {
keys {
zsk lifetime P90D algorithm rsasha256 1280;
ksk lifetime unlimited algorithm rsasha256 2048;
};
nsec3param iterations 0 optout no salt-length 0;
dnskey-ttl P1D;
max-zone-ttl P7D;
parent-ds-ttl P1D;
parent-propagation-delay PT1H;
publish-safety PT1H;
purge-keys P90D;
retire-safety PT1H;
signatures-refresh P5D;
signatures-validity P2W;
signatures-validity-dnskey P2W;
zone-propagation-delay PT5M;
};
dnssec-policy "standard" {
keys {
zsk lifetime P90D algorithm ecdsa256;
ksk lifetime unlimited algorithm ecdsa256;
};
dnskey-ttl P1D;
max-zone-ttl P7D;
parent-ds-ttl P1D;
parent-propagation-delay PT1H;
publish-safety PT1H;
purge-keys P90D;
retire-safety PT1H;
signatures-refresh P5D;
signatures-validity P2W;
signatures-validity-dnskey P2W;
zone-propagation-delay PT5M;
};
zone "92.208.85.in-addr.arpa" {
type master;
file "pri/85.208.92.rev";
dnssec-policy standard;
inline-signing yes;
parental-agents {
"85.in-addr.arpa";
};
notify yes;
allow-transfer {
"allow-transfer";
};
};
Relevant logs and/or screenshots
Zone status:
# rndc zonestatus 92.208.85.in-addr.arpa.
name: 92.208.85.in-addr.arpa.
type: primary
files: pri/85.208.92.rev
serial: 2022013100
signed serial: 2022013181
nodes: 1
last loaded: Fri, 21 Apr 2023 08:53:56 GMT
secure: yes
inline signing: yes
key maintenance: automatic
next key event: Fri, 28 Apr 2023 09:58:26 GMT
next resign node: 92.208.85.in-addr.arpa/NSEC
next resign time: Wed, 26 Apr 2023 12:52:39 GMT
dynamic: no
reconfigurable via modzone: no
DNSSEC status:
# rndc dnssec -status 92.208.85.in-addr.arpa.
dnssec-policy: standard
current time: Tue Apr 25 19:30:59 2023
key: 25045 (RSASHA256), KSK
published: yes - since Mon Feb 25 01:13:57 2019
key signing: yes - since Mon Feb 25 01:13:57 2019
Rollover is due since Sat Apr 22 13:53:26 2023
- goal: hidden
- dnskey: omnipresent
- ds: rumoured
- key rrsig: omnipresent
key: 19158 (RSASHA256), ZSK
published: yes - since Mon Feb 25 01:13:57 2019
zone signing: yes - since Mon Feb 25 01:13:57 2019
Rollover is due since Fri Apr 21 11:53:26 2023
- goal: hidden
- dnskey: omnipresent
- zone rrsig: omnipresent
key: 1806 (ECDSAP256SHA256), ZSK
published: yes - since Fri Apr 21 11:53:26 2023
zone signing: yes - since Fri Apr 21 11:53:26 2023
Next rollover scheduled on Thu Jul 20 09:48:26 2023
- goal: omnipresent
- dnskey: omnipresent
- zone rrsig: rumoured
key: 59921 (ECDSAP256SHA256), KSK
published: yes - since Fri Apr 21 11:53:26 2023
key signing: yes - since Fri Apr 21 11:53:26 2023
No rollover scheduled
- goal: omnipresent
- dnskey: omnipresent
- ds: hidden
- key rrsig: omnipresent
Key times:
# dnssec-settime -p all K92.208.85.in-addr.arpa.+013+59921.private
Created: Fri Apr 21 11:53:26 2023
Publish: Fri Apr 21 11:53:26 2023
Activate: Fri Apr 21 11:53:26 2023
Revoke: UNSET
Inactive: UNSET
Delete: UNSET
SYNC Publish: Sat Apr 22 12:58:26 2023
SYNC Delete: UNSET
DS Publish: UNSET
DS Delete: UNSET
CDS RRset:
; dig +noall +answer +dnssec +multiline 92.208.85.in-addr.arpa cds @grendel
92.208.85.in-addr.arpa. 3600 IN CDS 25045 8 2 (
A61C187B0EE2F5AEA1218447DA64102E28C1FD9AFA9C
CE81B0C1A2657B2E25E6 )
92.208.85.in-addr.arpa. 3600 IN RRSIG CDS 8 5 3600 (
20230505085326 20230421075326 25045 92.208.85.in-addr.arpa.
FPEs+gdOTNhO4WCRbVb4vxLmOvhtAQC6J/QfdWRgWcQq
DP/UVO+Gu0KwIC4GPmvBDjHbq/p+lrbd3WNZ5CP+aqUI
jDXsW56y3+sSBsWxAr1nBrdGxW2ZLKVFKoNVUmxYieDx
MHGGPvSfdiqzzNaVJaR7LpTw8mqAX58gvVgrcsS8J1HB
xE4a90YsJfhXJ/iLAnuZ6IS2SI2tgkh/JJvoLfjNQ+WU
BR300inWCb+zohq1U3XlG26bvJeszMYuJizXCTDmYZmE
NTxRWrbRR7/nNShHeGrdUzeTgLXeuNRxsPX/yEEyNYyC
S+JIdsDI0oOKaP/rucGb7NgI/8He0fHsnA== )
92.208.85.in-addr.arpa. 3600 IN RRSIG CDS 13 5 3600 (
20230505085326 20230421075326 59921 92.208.85.in-addr.arpa.
ZFqEOLChwiw6zt04y2+9LO9h0NrUkfcVc1ru89om8f+9
JAFil5tIpsDOwlEy3Q1N3hr58l+SP2Dp7BtT2blabg== )
CDNSKEY RRset:
; dig +noall +answer +dnssec +multiline 92.208.85.in-addr.arpa cdnskey @grendel
92.208.85.in-addr.arpa. 3600 IN CDNSKEY 257 3 8 (
AwEAAdd1bJx7jZuLoGpk+rWoUQfPwsMsgUjqiwAyM5cL
gXL3JCSLMBtcvvG4mKEfhmi8SyQntzjYbuIHybHBFQZN
6i80XiWImaBn1qwv0D5VZKOoTmnm6yycqAvh2e8DtqYh
I3EyoYnljgDuDJYemjO81bOgk9XR5emKdOP2+dm8cY3/
SRosLSo3BZqK2uV4Dh8YzRo7j4w7JMUbps/M+oEhISve
kOyvtFdMOLmu1VASTZFgVOEXO9zaKS4RY3aA444k5Nje
T6+dQlXoN9o5x6koi5b8679ygG4+rb9YzTkRQGWi8ECG
a0CEvGoTUGJMX1T5SCWlg9pXST8fBHxgpU/81ac=
) ; KSK; alg = RSASHA256 ; key id = 25045
92.208.85.in-addr.arpa. 3600 IN RRSIG CDNSKEY 8 5 3600 (
20230505085326 20230421075326 25045 92.208.85.in-addr.arpa.
wp9k019A8RGL6ZbF0mLc3OWTKmwpYG9MkQtbtrLjtpUU
BNTOPF9N8VAbl+CfGJEHwfFLN2JyYFZj3i4Rta4RzNm6
EipQe7msCQ+0Zwc37iHYFr7iDfwZLbWKN5owjfzamCRW
OrNmHAGEWVtO+u9ADSm1EHyjCpF2KMAuzZuE9VpggyeZ
FX4j+wgUHNIDU/Q1P2vPV5JnDoCGZAQy4t1yx8ZXG1Iy
PkEpa6JHR5NpDLSez8bTRlxHK53ja65Q/z6NXUq3Owok
Vkof9kGLsLl1W0ZvGEb7NgkINMs0PNuO/HGXrY7A3rLr
py3gZrwqy8n9YMc3Uss6UhhP6eRYEbbp9A== )
92.208.85.in-addr.arpa. 3600 IN RRSIG CDNSKEY 13 5 3600 (
20230505085326 20230421075326 59921 92.208.85.in-addr.arpa.
2X40hGPmeSLLY+HSBq/BRh9DZ3Npz7R7hVnW52sMlUmH
IBDuuYHqD/oCE9oOl7eRJHN4k3fP3TNK8URj6V0OeA== )
DNSKEY RRset:
; dig +noall +answer +dnssec +multiline 92.208.85.in-addr.arpa dnskey @grendel
92.208.85.in-addr.arpa. 604800 IN DNSKEY 256 3 8 (
AwEAAbsolL0xLjTDBS2vd/K1kaA0JU0Xmry4KYD7uOyi
laohxiLcl+SZMPHNVoulzM/Fog5mn5P8ipkKjllNoDEM
dwUAu3ULMLQIRMK+h6LLbfAdL9yw71myJxADeTK7Nfzz
YJaV4S93sYAETy4u8RVHgmF6xssvsuTrGTllCVkS9lov
) ; ZSK; alg = RSASHA256 ; key id = 19158
92.208.85.in-addr.arpa. 604800 IN DNSKEY 257 3 8 (
AwEAAdd1bJx7jZuLoGpk+rWoUQfPwsMsgUjqiwAyM5cL
gXL3JCSLMBtcvvG4mKEfhmi8SyQntzjYbuIHybHBFQZN
6i80XiWImaBn1qwv0D5VZKOoTmnm6yycqAvh2e8DtqYh
I3EyoYnljgDuDJYemjO81bOgk9XR5emKdOP2+dm8cY3/
SRosLSo3BZqK2uV4Dh8YzRo7j4w7JMUbps/M+oEhISve
kOyvtFdMOLmu1VASTZFgVOEXO9zaKS4RY3aA444k5Nje
T6+dQlXoN9o5x6koi5b8679ygG4+rb9YzTkRQGWi8ECG
a0CEvGoTUGJMX1T5SCWlg9pXST8fBHxgpU/81ac=
) ; KSK; alg = RSASHA256 ; key id = 25045
92.208.85.in-addr.arpa. 604800 IN DNSKEY 256 3 13 (
h7klGYSfWl2OVuvDA5Ob4vux5vWa6SL4YEGi/0gZOzio
sROzK0U+/edW/+gf7IdrlsPI6ofn8hGNDzCHq7M+VA==
) ; ZSK; alg = ECDSAP256SHA256 ; key id = 1806
92.208.85.in-addr.arpa. 604800 IN DNSKEY 257 3 13 (
Az8bQZ+MiGXWXj9/nyy3Y5Wj0xhJs6h0oxbTmzcYzxNO
6sQrdoNIPaqlfR+D27BFyPrKgydJLt+xwgil9QGUkg==
) ; KSK; alg = ECDSAP256SHA256 ; key id = 59921
92.208.85.in-addr.arpa. 604800 IN RRSIG DNSKEY 8 5 604800 (
20230505085326 20230421075326 25045 92.208.85.in-addr.arpa.
FtyKrwSRBnTgEc1LPdYumR1RYb7ALS/EZPV3z2pw71zf
CAvmja5zHkl97M527+D7jDrc/fagaETFRylBqnhVLOHU
yvn5GXVPmh5tR3IObKzTHwSrk8vasCNkzQa3IK3eZymA
estUHccjdUwmtavXB+udn0kLLXiqmEcuOKNWro0cczpZ
H7ZVBxP3Oh8Pni1tBeyBeco2l3Gt2wpOykkuQaIZmbkz
EJfmvOS9EsmKjw1wwzsVeMlv9Uta1RnjiHASDXx1yowJ
heMw6bfTpnLhkh6lyUNjJwtapC0pUX4RcQqRY4v+fQSJ
r469Ugax1G0t51wbRPz2hd3VNdNMn+OGdw== )
92.208.85.in-addr.arpa. 604800 IN RRSIG DNSKEY 13 5 604800 (
20230505085326 20230421075326 59921 92.208.85.in-addr.arpa.
amnRU6dE9xpLzZUgK7omasMiP7/cJ5+EE0f+MCMwXp5+
7r2XpHvXbYLNjk5vOjzm2C6ZHmMbSBq66wZMqj6JGw== )