[Opendnssec-user] ODS 2.14, double signatures during ZSK rollover

Erik P. Ostlyngen erik at norid.no
Wed Feb 26 12:25:23 UTC 2020 

Hi,

Unfortunately, I'm still not able to find a solution to the problem
I'm having with double signatures in the zonefile during the zsk
rollover. I've been using the example policy configurations which are
included in the opendnssec source code ('default' and 'lab' in
kasp.xml.in). Any help with how I should proceed to investigate the
problem would be greatly appreciated.

I've scripted my test system to archive each signed version of the
zonefile that is produced. I can then see the following increase in
filesize during a rollover until it afterwards drops down to normal size:

-rw-r--r-- 1 root root 1273613 Feb  7 12:08 oslo.no.28
-rw-r--r-- 1 root root 1274457 Feb  7 06:19 oslo.no.29
-rw-r--r-- 1 root root 1274457 Feb  7 04:46 oslo.no.30
-rw-r--r-- 1 root root 1931351 Feb  6 16:19 oslo.no.31
-rw-r--r-- 1 root root 1930507 Feb  4 22:46 oslo.no.32
-rw-r--r-- 1 root root 1930507 Feb  2 20:46 oslo.no.33
-rw-r--r-- 1 root root 1927039 Feb  2 18:46 oslo.no.34
-rw-r--r-- 1 root root 1874730 Feb  2 16:46 oslo.no.35
-rw-r--r-- 1 root root 1817829 Feb  2 14:46 oslo.no.36
-rw-r--r-- 1 root root 1763497 Feb  2 12:46 oslo.no.37
-rw-r--r-- 1 root root 1706597 Feb  2 10:46 oslo.no.38
-rw-r--r-- 1 root root 1653132 Feb  2 08:46 oslo.no.39
-rw-r--r-- 1 root root 1606025 Feb  2 06:46 oslo.no.40
-rw-r--r-- 1 root root 1556062 Feb  2 04:46 oslo.no.41
-rw-r--r-- 1 root root 1501766 Feb  2 02:46 oslo.no.42
-rw-r--r-- 1 root root 1439363 Feb  2 00:46 oslo.no.43
-rw-r--r-- 1 root root 1382198 Feb  1 22:46 oslo.no.44
-rw-r--r-- 1 root root 1324976 Feb  1 20:46 oslo.no.45

I consider this to be a serious problem for various reasons. The added
amount of zonefile data increases the size of the DNS query responses.
It also slows down the verification and publication processes of the
signed zones.

Kind regards,
Erik Østlyngen
Norid AS
www.norid.no


On 17/01/2020 10.55, Erik P. Ostlyngen via Opendnssec-user wrote:
> Hi again,
> 
> I've now made a test installation of the Ubuntu Focal version of 
> opendnssec 2.1.4 and have set up a signer using the standard demo 
> configuration which comes with the package. Signing from file to
> file. With this config I still get double signatures during a ZSK
> rollover. After the publication period (new ZSK in state Rumored),
> the ZSK goes to state Omnipresent and starts using the new key for
> signing. At this point the signer creates double signatures and
> continues to do so throughout the re-signing period until the old
> key is removed from the zone.
> 
> Is there a demo configuration somewhere with kasp timing
> parameters tuned so that ZSK rollover replaces the signatures
> without doubling them (provided that this is possible and
> configuration is the problem)? That would be very useful.
> 
> Kind regards, Erik Østlyngen Norid AS www.norid.no
> 
> 
> On 15/01/2020 08.49, Erik P. Ostlyngen via Opendnssec-user wrote:
>> On 14/01/2020 10.00, Berry A.W. van Halderen via Opendnssec-user
>>  wrote:
>>> Dear Erik,
>>> 
>>> It will also depend on the TTL of your keyset.  The old 
>>> signatures need to be around for at least that time period plus
>>>  some more. The ods-enforcer key list command by default only 
>>> gives out information whether a key is active or not, not the 
>>> real underlying status of the key presence as seen on the 
>>> internet.  If you add the flag -d to the command it will
>>> output a more extended interpretation with amoungst others
>>> whether a key is rumoured (active but not seen by everyone yet)
>>> or omnipresent (everyone should know about it). Only in that
>>> latter state a old signature will be dropped when a new
>>> signature is generated.
>>> 
>>> Note also that it depends on how to perform a roll.  The
>>> default is to move as swiftly as possible, not generating
>>> duplicate signatures or full resigns.  O, and during a key roll
>>> with a algorithm roll over all signatures need to be kept
>>> present for some rolls.
>>> 
>>> So without more information regarding KASP configuration and
>>> key state this doesn't yet look surprising to me yet.  And
>>> certainly not wrong.  There were some corrections in the past
>>> but you are on 2.1.4 already.
>> 
>> Dear Berry,
>> 
>> Thank you for your detailed and informative answer. I've tried to
>>  use the -d option to observe how the key states change during
>> the rollover. It looks like the new zsk goes to state
>> 'omnipresent' after a short period of inactive/publishing:
>> 
>> cmd> key list -d --zone bergen.no Keys: Zone: Key role:     DS: 
>> DNSKEY: RRSIGDNSKEY: RRSIG:       Pub: Act: Id: bergen.no KSK
>> omnipresent omnipresent omnipresent  NA           1 1
>> c475614c9cbf33a1a1ae55836695590c bergen.no ZSK           NA 
>> omnipresent NA           unretentive  1 0 
>> 7199b64ff27f109f4f86bb8ccc6fb166 bergen.no ZSK           NA 
>> omnipresent NA           rumoured     1 1 
>> 7a0c39ac376af233453002d70ced7926
>> 
>> It is in this state, where both the old and the new zsk is 
>> omnipresent, that the double signatures are inserted. I'm not
>> able to see if my TTL values or other timing parameters are
>> causing it. The zsk roll type is 'ZskPrePublication'. There are
>> no algorithm changes involved. I'm attaching the kasp policy
>> configuration if you would like to have a look.
>> 
>> Kind regards, Erik Østlyngen Norid AS www.norid.no
>> 
>> 
>> _______________________________________________ Opendnssec-user 
>> mailing list Opendnssec-user at lists.opendnssec.org 
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>> 
> 
> _______________________________________________ Opendnssec-user
> mailing list Opendnssec-user at lists.opendnssec.org 
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>

More information about the Opendnssec-user mailing list