[Opendnssec-user] Absent ZSK in zone signed with OpenDNSSEC

Sebastian Castro sebastian at nzrs.net.nz
Fri Apr 16 02:07:05 UTC 2010


I'm running OpenDNSSEC 1.1.0-trunk and I hit a strange situation.

In simple words, the zone was being signed with a ZSK that ended not
included as DNSKEY in the final signed zone.

The list of keys in use according to ksmutil is

/usr/local/opendnssec/bin/ods-ksmutil key list --verbose
SQLite database set to: /var/opendnssec/kasp.db
Zone:                           Keytype:      State:    Date of next
transition:  CKA_ID:                           Repository:
co.nz                           KSK           active    2010-04-15
16:29:10      3996d43aca8dea21830a1c9299d693ef  softHSM          33249
co.nz                           KSK           ready     waiting for
ds-seen       b133bb8d3bb6664d73de0dcba5adc481  softHSM          33054
co.nz                           KSK           ready     waiting for
ds-seen       6d895ad0b98a1e3deb63eca7c985fae8  softHSM          34773
co.nz                           ZSK           active    2010-04-17
16:29:10       a008c770853ff48e5db645e400e99e71  softHSM         35157
co.nz                           ZSK           ready     next rollover
          c92810080bea87634abd42cc7f3593ae  softHSM

But the output zone contains:

name    type   keytag   keytype         algorithm
co.nz	DNSKEY-23213	DNSKEY-ZSK	7
co.nz	DNSKEY-33054	DNSKEY-KSK	7
co.nz	DNSKEY-33249	DNSKEY-KSK	7
co.nz	DNSKEY-42044	DNSKEY-ZSK	7
co.nz	DNSKEY-47295	DNSKEY-ZSK	7
co.nz	DNSKEY-9516	DNSKEY-KSK	7

but the signatures for the zone records are generated using key 35157,
which is consistent with ksmutil output. To verify is not a BIND issue,
I checked the output signed zone and effectively didn't include the ZSK
but included some old rolled over keys.

I proceeded to delete the signed zone and force the signing of the zone
using ods-signer sign co.nz. The result was the zone now contains the
right KSK/ZSK... Is OpenDNSSEC obtaining the DNSKEY for the existing
signed zone?

During this process, I found what it seems to be a bug with quicksorter:
If the first line of the zone doesn't contain a class, quicksorter fails
with a 'No class' error, breaking the signing process.

# head /var/opendnssec/unsigned/co.nz.zone
; zone co.nz built at Wed Aug 19 10:04:38 2009
$TTL 86400
@	SOA	loopback.dns.net.nz. soa.nzrs.net.nz. 2010030514 900 300 604800 3600
co.nz.	NS	ns1.dns.net.nz.
co.nz.	NS	ns2.dns.net.nz.
co.nz.	NS	ns3.dns.net.nz.

quicksorter will complain

# /usr/local/opendnssec/libexec/opendnssec/quicksorter -o co.nz. -f
/var/opendnssec/unsigned/co.nz.zone -w /var/opendnssec/tmp/co.nz.sorted
-m 3600 -t 3600
/var/opendnssec/unsigned/co.nz.zone:3: No class

If I add the class for the SOA record, everything works fine

Should quicksorter assume class=IN by default?

Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535

More information about the Opendnssec-user mailing list