2

I'm testing DNSSEC with Bind 9.7.2-P2. I have a question regarding the first signature created over a zone that already exists. I'm using dynamic DNS.

I create the first two keys: one KSK and one ZSK. According to https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-key-timing/, the first ZSK needs to be published for an interval equal to Ipub, before it can be active.

I create the ZSK with a Publication date previous to its Activation date. I restart the service and I can see that the key is published at Publication date, but it's no active later, when Activation date arrives.

This is the configuration of the zone dnssec.es at the named.conf file:

zone "dnssec.es" {
  auto-dnssec maintain;
  update-policy local;
  sig-validity-interval 1;
  key-directory "dnssec/keys_dnssec";
  type master;
  file "dnssec/db.dnssec.es";
};

Any clue??

Regards

Community
  • 1
Arancha
  • 21
  • 2

1 Answers1

3

The timing considerations discussed in that internet draft are for when you're rolling from one key to another, to allow time for signatures from the previous ZSK to expire from caches. It's not necessary to pre-publish the ZSK when you're signing the zone for the first time.

What happened here is, you told it to start signing the zone using only one key, the KSK. Because there were no other published keys, it signed the whole zone with the one key it had available, the KSK. (That's legal DNSSEC, but it's not the typical configuration. If there had been an active ZSK, it would have signed the DNSKEY record with the KSK and signed everything else with the ZSK alone, but it had to work with what it was given.)

Sometime later, the ZSK was published (but not activated), so it was added to the DNSKEY record but not used for signing. Later still, the ZSK did become active, but the records in the zone are already all signed at that point, so named reckons there's no need for it to do any work right now. When the KSK signatures get close to their expiration times, they should automatically be flushed out of the zone and replaced with signatures from the now-active ZSK. Since you have sig-validity-interval set to one day, this should start happening sometime tomorrow.

Anyway, for your purposes, you just wanted to make two keys that were published and active immediately. You don't need to think about prepublication intervals until you roll keys.

Evan (principal author of BIND 9.7)

Evan Hunt
  • 31
  • 2