[Pdns-users] How to specify *default* ZSK/KSK auto-signing algorithms in auto-provisioned, pdns superslave?

PGNet Dev pgnet.dev at gmail.com
Tue Jan 3 04:02:47 UTC 2017 

I'm running pdns 4.0.1-264-g50e4ab3

It's configured as an auto-provisioned superslave to a bind9 supermaster.

After NOTIFY of a new zone to pdns from the master, the zone's created & signed:

	pdnsutil show-zone example.com
		Jan 02 19:28:46 Reading random entropy from '/dev/urandom'
		This is a Slave zone
		Master: 10.1.1.53
		Last time we got update from master: Mon 2017-01-02 19:26:48
		SOA serial in database: 1482864727
		Refresh interval: 7200 seconds
		Zone has following allowed TSIG key(s): pdns-key
		Zone uses following TSIG key(s): pdns-key
		Metadata items:
		        ALLOW-AXFR-FROM 10.1.1.53
		        ALLOW-AXFR-FROM 10.2.2.53
		        ALLOW-DNSUPDATE-FROM    10.1.1.53
		        AXFR-MASTER-TSIG        pdns-key
		        AXFR-SOURCE     10.1.1.53
		        IXFR    1
		        SOA-EDIT-DNSUPDATE      EPOCH
		        TSIG-ALLOW-AXFR pdns-key
		        TSIG-ALLOW-DNSUPDATE    pdns-key
		Zone is presigned
		Zone has hashed NSEC3 semantics, configuration: 1 0 5 84d74180
		keys:
		KSK, tag = 39060, algo = 14, bits = 384
		DNSKEY = example.com. IN DNSKEY 257 3 14 sgA...ceE; ( ECDSAP384SHA384 )
		DS = example.com. IN DS 39060 14 1 acd...44f ; ( SHA1 digest )
		DS = example.com. IN DS 39060 14 2 e01...ec1 ; ( SHA256 digest )
		DS = example.com. IN DS 39060 14 4 e94...d79 ; ( SHA-384 digest )
		ZSK, tag = 1013, algo = 14, bits = 384
		DNSKEY = example.com. IN DNSKEY 256 3 14 RP6...sfx; ( ECDSAP384SHA384 )

Note that the KSK/ZSK are using algo = 14,

		KSK, tag = 39060, algo = 14, bits = 384
		ZSK, tag = 1013, algo = 14, bits = 384

which *is* clearly one of the supported algos,

	pdnsutil list-algorithms
		Jan 02 19:34:19 Reading random entropy from '/dev/urandom'
		DNSKEY algorithms supported by this installation of PowerDNS:
		5 - RSASHA1
		7 - RSASHA1-NSEC3-SHA1
		8 - RSASHA256
		10 - RSASHA512
		13 - ECDSAP256SHA256
		14 - ECDSAP384SHA384

but, according to

	https://doc.powerdns.com/md/authoritative/dnssec/#dnssec-defaults

is not supposed to be the default: "algorithm 13, ECDSAP256SHA256",

	DNSSEC Defaults

		Since version 4.0, when securing a zone using pdnsutil secure-zone, a single ECDSA (algorithm 13, ECDSAP256SHA256) key is generated that is used as ZSK. Before 4.0, 3 RSA (algorithm 8) keys were generated, one as the KSK and two ZSKs. As all keys are online in the database, it made no sense to have this split-key setup.

, at least when directly using

	pdnsutil secure-zone

In my pdns.conf I've config'd

	...
	default-ksk-algorithms=ecdsa256
	default-ksk-size=0
	default-zsk-algorithms=ecdsa256
	default-zsk-size=0
	...

which apparently isn't sufficient.

Where/how do I specify the KSK/ZSK algos to be used in this superslave config (not using `pdnsutil secure-zone` on the cmd line)? whether globally, or in per-domain metadata?

More information about the Pdns-users mailing list