[Opendnssec-user] Zone signed but with old expiration dates?

Stephane Bortzmeyer bortzmeyer at nic.fr
Mon Jul 9 10:39:20 UTC 2012 

We discovered today that our zone's DNSKEY signature
expired. OpenDNSSEC created the last version on 5th july (and reloaded
the DNS master, a BIND):

% find . -type f |xargs ls -l
-rw-r--r-- 1 root       root       24576 Jul  9 11:47 ./db/kasp.db
-rw-r--r-- 1 root       root       24576 Apr 10 14:36 ./db/kasp.db.backup
-rw-r--r-- 1 root       root           0 Jul  9 11:47 ./db/kasp.db.our_lock
-rw-r--r-- 1 root       root        1119 Jul  2 15:47 ./signconf/rd.nic.fr.xml
-rw-r--r-- 1 root       root        1119 Jul  2 00:46 ./signconf/rd.nic.fr.xml.OLD
-rw-r--r-- 1 opendnssec opendnssec 29378 Jul  5 11:47 ./signed/rd.nic.fr
-rw-r--r-- 1 root       root       29133 Jun 15 11:06 ./signed/rd.nic.fr-orig
-rw-r--r-- 1 opendnssec opendnssec 32601 Jul  5 13:47 ./tmp/rd.nic.fr.backup
-rw-r--r-- 1 opendnssec opendnssec  4001 Jul  2 00:46 ./tmp/rd.nic.fr.inbound

But signed/rd.nic.fr contains signatures which work from 1st July to
9th July:

rd.nic.fr.      3600    IN      DNSKEY  256 3 8 AwEAAbKFODstxs+c4yBhRTaMXPFxe/CcCm9Yv7m4v6nC+z/QnK7SpCVcpUNplihimV8giDvNez
80ZrsJLNOhOUmfyhNm0FkaZEx0AzZy0Iftf7DwqKpqWY5vwtRqOYaE0rfjTI93AOQxO6X+ktcuvA2sS92GxEz4wG24My7JErAjYl41 ;{id = 61800 (zsk),
 size = 1024b}
rd.nic.fr.      3600    IN      DNSKEY  256 3 8 AwEAAb3wf51lBc8U8a8oCv0VbX9HsvsgpwnoxpBld5GwSnmdPx88qZ5fvNaOsiW1gmyQMNUXoI
xBnxWG4/nEWmfdOr9R2BChZymLx1qCp6JDYsq7XO+MCRLiWpfwXy1YfylJOCo9laIbTztJF5H2cLuIazWXfTZsmhmtbjzqIs2gm7ej ;{id = 29214 (zsk),
 size = 1024b}
rd.nic.fr.      3600    IN      DNSKEY  257 3 8 AwEAAfDCm6XxMotTfpBpaCWJNovM+vDNd+ma47WjHjFj2vZ5RHhi0ocuOURGuin2ZwUqcb5dqd
mSKYn8PZYk27BdMA0jipZBfmLokmjvo8Eg38zuxv/g93b/h9YZSAmoauZFZ3AS2YsFuJY1syjIPUb/PFbbkktroyzNVCfveHRCseZCz94QPFt3OJKQM9lbg9NY
n7AT3it9RroRO9gZRYe4ekMOZaFGvDy7fHvtScHOq2ClYgblHDLUt4Ys7IHWqstssFtksGVUGqaavKH5OGF2h7evIxweke9PR8QrheO5rV79XqXFR6YZVuydk/
QdZcEd09+xsK7ScGA/uGVcF9deRhE= ;{id = 10555 (ksk), size = 2048b}
rd.nic.fr.      3600    IN      RRSIG   DNSKEY 8 3 3600 20120709043743 20120701214659 10555 rd.nic.fr. tWNggM40zMrFc3cHgMD
HmgDhHA8XQUQG6h4Jv1JiAeQy+dTdYmU5gF6tvTO97QlWo1NUXfTWfez/okjei9XC+Qpvhm1QoRUBFPEB6wcTjRhNZ3hEldojJHBerdu1INHy3XQse7u22dGOG
1luoV6x8Tprkync/9Yx2IlMAXTXB2Sa/cdJJjSb6AlKthYdSzt0/dADU0mfX8sD4War/qR6b/b/Lyip0Nd4pzDQ+vEM627EGofv57yt6QjR1cqAFQD1bginXFK
g5qulHTAnloi0qBq+fisD7FJ2G78fwL/QfwgzeHn+f9hMlEYPFDQy6qUXkwmyUq+XZ6NHXC/0dbLv2w==

Same problem for the NSEC3PARAM. But the NS rrset signature is
correct, going from 4th to 12th july:

rd.nic.fr.      3600    IN      NS      ns1.rd.nic.fr.
rd.nic.fr.      3600    IN      NS      ns3.nic.fr.
rd.nic.fr.      3600    IN      RRSIG   NS 8 3 3600 20120712004919 20120704224701 29214 rd.nic.fr. RTkNMogF7jb37mhBcGSqlcc
dzNna/jwAa6R7puMesCJUoWefk4j+RqC4c6M6QZAreMvGNoNFfCCN0tIpZQtbNgGnGneq4F1UdW6qIjUqfCHZabbp6je+QftpI5XzXz6Blo5RvUqyd2M0Rahf+
X14D12P1RpSG9sNaZmf/hpvSoo=

Even funnier, one A record has a proper inception/expiration but not
the AAAA:

adia.rd.nic.fr. 3600    IN      A       192.134.7.132
adia.rd.nic.fr. 3600    IN      RRSIG   A 8 4 3600 20120712020917 20120705044701 29214 rd.nic.fr. X1jFEDOmeujxTDaMoCfBOiyD
nFZqrPSHDvf0iaqEG5LfCi0Ldb+p5q9mpQcknin4ZeFkbefz0YsMht1ZQfgYBhZUuuS2IgodyyY6RnUzhtJjTgvglv09pwDMl3vZHusNoYCWipMwphiUxFz63+
2jR7+kFjhAA699Ji/4pGEuuKY=
adia.rd.nic.fr. 3600    IN      AAAA    2001:660:3003:6::7:132
adia.rd.nic.fr. 3600    IN      RRSIG   AAAA 8 4 3600 20120708132308 20120701060835 61800 rd.nic.fr. sXXzADzgL8ahAmPWTb8Di
+zkftSK9udTyn0e7kA2N3lXsknE5Al9sDis4zaE6WO50KPdFgXE4TwXf78EnbXJJQ7Nf0MMdjeZtCrqVjTFsLMBfhxagiooYSMGvo4d3jK22QqyJGS3Q0qcN8B
yCp9RdST6J/E8FYAgZ1RGnOUS680=

Any idea of what went wrong?

Debian "stable", OpenDNSSEC from the backports, version 1.3.2 (Debian
1.3.2-1~bpo60+1), using SoftHSM.

Default policy used:



        <Policy name="default">
                <Description>A default policy that will amaze you and your friends</Description>
                <Signatures>
                        <Resign>PT2H</Resign>
                        <Refresh>P3D</Refresh>
                        <Validity>
                                <Default>P7D</Default>
                                <Denial>P7D</Denial>
                        </Validity>
                        <Jitter>PT12H</Jitter>
                        <InceptionOffset>PT3600S</InceptionOffset>
                </Signatures>

                <Denial>
                        <NSEC3>
                                <!-- <OptOut/> -->
                                <Resalt>P100D</Resalt>
                                <Hash>
                                        <Algorithm>1</Algorithm>
                                        <Iterations>5</Iterations>
                                        <Salt length="8"/>
                                </Hash>
                        </NSEC3>
                </Denial>

                <Keys>
                        <!-- Parameters for both KSK and ZSK -->
                        <TTL>PT3600S</TTL>
                        <RetireSafety>PT3600S</RetireSafety>
                        <PublishSafety>PT3600S</PublishSafety>
                        <!-- <ShareKeys/> -->
                        <Purge>P14D</Purge>

                        <!-- Parameters for KSK only -->
                        <KSK>
                                <Algorithm length="2048">8</Algorithm>
                                <Lifetime>P1Y</Lifetime>
                                <Repository>SoftHSM</Repository>
                        </KSK>

                        <!-- Parameters for ZSK only -->
                        <ZSK>
                                <Algorithm length="1024">8</Algorithm>
                                <Lifetime>P30D</Lifetime>
                                <Repository>SoftHSM</Repository>
                                <!-- <ManualRollover/> -->
                        </ZSK>
                </Keys>

More information about the Opendnssec-user mailing list