[Opendnssec-user] Strange signature combination.
matthijs at nlnetlabs.nl
Fri Oct 11 07:56:32 UTC 2013
Hi Jan Hugo,
On 10/10/2013 03:55 PM, Jan Hugo Prins wrote:
> I'm currently in the process of getting to learn all the inner workings
> of DNSSec and the combination with OpenDNSSec in particular. So far
> everything looks fine, but I have one strange thing now.
> During my testing I have taken my own domain to do some DNSSEC things
> with. This domain has been signed for a longer period of time but this
> was always manual using the bind tools. Now I have imported the domain
> into opendnssec and created the keys. After that I imported the new DS
> for the new KSK into the parent zone.
> Then I started playing around and because I didn't know yet how
> OpenDNSSEC worked I did a rollover 2 times in the default policy. This
> created the following situation:
> SQLite database set to: /var/opendnssec/kasp.db
> Zone: Keytype: State: Date of next
> transition (to): Size: Algorithm: CKA_ID:
> Repository: Keytag:
> jhprins.org KSK active 2014-10-08
> 14:21:49 (retire) 2048 8
> e3de714c43911ebfd7efb3c3bb4e0a10 SoftHSM 26527
> jhprins.org ZSK retire 2013-10-17
> 23:20:52 (dead) 1024 8
> f77af07f4b6b59a53dd3a20c946ad21f SoftHSM 6675
> jhprins.org ZSK retire 2013-10-23
> 20:14:54 (dead) 1024 8
> 0bae373b89af2dd910f0f7c02f2a5e4a SoftHSM 14511
> jhprins.org ZSK active 2014-01-07
> 07:14:54 (retire) 1024 8
> 9f839d3282f4a428dafa3f0b846112ff SoftHSM 63966
> I have now put the new zone into DNS and it should now be active, so you
> can look it up.
> The strange thing I see is that the current zone seems to be signed by 2
> different keys.
> The SOA record is signed using key 63966 while the rest of the zone is
> signed using key 6675.
> How can this happen and why does this happen? I wander what will happen
> with the signatures after the 17th of October. What keys will be used?
OpenDNSSEC performs a so-called *smooth* pre-publish ZSK rollover. That
means that not all signatures will be replaced at once. Instead, only
when signatures of the retired key need to be refreshed, they will be
replaced with the new active key.
The signatures from key 6675 will be replaced some time between now and
October 17. When this happens precisely depends on your KASP: It's a
function of signature validity period, refresh period and jitter.
The SOA record needs to be refreshed on every re-sign, so that one is
already signed with the new key 63966.
> The attached PNG also shows it very clearly.
> ID 8836 and 53370 are the KSK and ZSK created in the past using the bind
> Jan Hugo Prins
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
More information about the Opendnssec-user