0

To control when signatures expire, I've switched to using dnssec-policy to generate DNSSEC records for my zones. This has solved the issue of getting RRSIG records to expire when they should but introduced a new problem of its own.

bind9 is now constantly attempting to retire my non-expiring KSK and ZKS keys. How do I configure bind not to attempt any key rotation when the keys never expire?

This is the relavent portion of my logs:

named[5078]: keymgr: retire DNSKEY example.com/ED25519/00000 (KSK)
named[5078]: keymgr: DNSKEY example.com/ED25519/50916 (ZSK) created for policy example-com-policy
named[5078]: zone example.com/IN (signed): zone_rekey:dns_dnssec_keymgr failed: error occurred writing key to disk

Some more info on my setup:

  1. KSK and ZSK keys were generated by running:

    dnssec-keygen -a ED25519 -f KSK example.com
dnssec-keygen -a ED25519 example.com

  2. Policy declaration in named.conf.local:

    dnssec-policy example-com-policy {
  dnskey-ttl 300;
  keys {
      ksk key-directory lifetime unlimited algorithm ED25519;
      zsk key-directory lifetime unlimited algorithm ED25519;
  };
  max-zone-ttl 300;
  parent-ds-ttl 300;
  parent-propagation-delay 2h;
  publish-safety 7d;
  retire-safety 7d;
  signatures-refresh 1439h;
  signatures-validity 90d;
  signatures-validity-dnskey 90d;
  zone-propagation-delay 2h;
};

  3. Zone declaration in named.conf.local:

    zone "example.com" {
     type master;
     file ".../db.example.com";
     allow-transfer  { ... };
     also-notify     { ... };

     key-directory "...";
     serial-update-method unixtime;
     dnssec-policy example-com-policy;
};

  4. and the contents of .../db.example.com:

    $TTL 300
@    IN  SOA ns1.example.com. admin.example.com. (
         1634019890      ; Serial
         10m             ; Refresh
         20m             ; Retry
         9w              ; Expire
         1h )            ; Negative Cache TTL
;

example.com. IN  NS  ns1.example.com.
example.com. IN  NS  ns2.example.com.

; ...

  5. System information:

    • bind9 9.16.15-debian
    • Debian 11 (latest stable)
    • Default apparmor configuration
    • named has read-only access to the keys directory

2021-10-22 Update

The timing information for both keys (according to dnssec-settime -p all) is:

Created: Sun Oct 10 07:51:48 2021
Publish: Sun Oct 10 07:51:48 2021
Activate: Sun Oct 10 07:51:48 2021
Revoke: UNSET
Inactive: UNSET
Delete: UNSET
SYNC Publish: UNSET
SYNC Delete: UNSET
DS Publish: UNSET
DS Delete: UNSET
Tenders McChiken
  • 93
  • 6
  • Timing information is saved in the keys aswell, use dnssec-settime to modify: See under https://dnssec-guide.readthedocs.io/en/latest/signing.html#setting-key-timing-information. Does this solve your problem? – Adrian Zaugg Oct 20 '21 at 23:42
  • Since the keys never expire, I'm not sure that the timing information embedded in my keys is what's causing this issue. I've edited my post to include the timing information for the two keys. – Tenders McChiken Oct 22 '21 at 06:50

0 Answers0