[Pdns-users] Trouble rolling a ZSK

Mike Cardwell pdns-users at lists.grepular.com
Mon Oct 14 07:54:13 UTC 2019


I'm looking into migrating from Bind9 to PowerDNS. Although I've not
changed nameservers on the domain yet, I've imported my zone file,
imported my existing KSK and ZSK and that works fine:

root at ned:~# pdnsutil list-keys
Zone                          Type    Size    Algorithm    ID   Locatio
n    Keytag
---------------------------------------------------------------------
-------------
parsemail.org                 ZSK     1024    RSASHA1-NSEC3-SHA1
2    cryptokeys  8897
parsemail.org                 KSK     2048    RSASHA1-NSEC3-SHA1
1    cryptokeys  36696
root at ned:~#

When I do an A record lookup I also get a single RRSIG as expected:

root at ned:~# dig +short +dnssec a parsemail.org @51.91.158.226
A 7 2 86400 20191024000000 20191003000000 8897 parsemail.org.
Z3RBkP2I+qkjYLeQAL1WuvQlFySpA8G3bBNVNomV49IcHke4p1/dalhH
PmYoexPb2rOrjqiOod3ZMJwm/pHj+xt2Flr7MAcpzwNoVW4ktP7aDOkb
HToFVetep7dd/dbf0Z/v9NAuSbrk77EtoMLIJBQKkiGXEVJzllBBRi6C 70E=
164.132.228.175
root at ned:~#

However, I've tested rolling the ZSK, and I don't know if I've missed a
step but something weird happens. First, adding a new ZSK works fine:

root at ned:~# pdnsutil add-zone-key parsemail.org zsk 1024 active rsasha1
Added a ZSK with algorithm = 5, active=1
Requested specific key size of 1024 bits
3
root at ned:~# pdnsutil list-keys
Zone                          Type    Size    Algorithm    ID   Locatio
n    Keytag
---------------------------------------------------------------------
-------------
parsemail.org                 ZSK     1024    RSASHA1-NSEC3-SHA1
2    cryptokeys  8897
parsemail.org                 ZSK     1024    RSASHA1-NSEC3-SHA1
3    cryptokeys  21947
parsemail.org                 KSK     2048    RSASHA1-NSEC3-SHA1
1    cryptokeys  36696
root at ned:~# dig +short +dnssec a parsemail.org @51.91.158.226
164.132.228.175
A 7 2 86400 20191024000000 20191003000000 21947 parsemail.org.
ehGATVrFl+qo9I7pmbb3WGRKCaWRR6ZvLr0vBq33Gcn3SAI9W7SumEyM
f/1seXhfGbZKtpP9ZmX0ZIP8hWkv56mZMpnfAYPLN6Pfs0Qmm5UT7/hY
UAast/yLmUmu58cHKgSUdzKQt0cufw1nrVIuAlzRNa4PsH0+19Jg/ucS tfM=
A 7 2 86400 20191024000000 20191003000000 8897 parsemail.org.
Z3RBkP2I+qkjYLeQAL1WuvQlFySpA8G3bBNVNomV49IcHke4p1/dalhH
PmYoexPb2rOrjqiOod3ZMJwm/pHj+xt2Flr7MAcpzwNoVW4ktP7aDOkb
HToFVetep7dd/dbf0Z/v9NAuSbrk77EtoMLIJBQKkiGXEVJzllBBRi6C 70E=
root at ned:~# 

As you can see above I now have 2 ZSKs and 2 RRSIGs with each lookup.
But when I go to remove the old ZSK:

root at ned:~# pdnsutil remove-zone-key parsemail.org 2
root at ned:~# pdnsutil list-keys
Zone                          Type    Size    Algorithm    ID   Locatio
n    Keytag
---------------------------------------------------------------------
-------------
parsemail.org                 ZSK     1024    RSASHA1-NSEC3-SHA1
2    cryptokeys  8897
parsemail.org                 ZSK     1024    RSASHA1-NSEC3-SHA1
3    cryptokeys  21947
parsemail.org                 KSK     2048    RSASHA1-NSEC3-SHA1
1    cryptokeys  36696
root at ned:~# pdnsutil remove-zone-key parsemail.org 2
root at ned:~# pdnsutil list-keys
Zone                          Type    Size    Algorithm    ID   Locatio
n    Keytag
---------------------------------------------------------------------
-------------
parsemail.org                 CSK     2048    RSASHA1-NSEC3-SHA1
1    cryptokeys  36696
parsemail.org                 CSK     1024    RSASHA1-NSEC3-SHA1
3    cryptokeys  21947
root at ned:~# dig +short +dnssec a parsemail.org @51.91.158.226
A 7 2 86400 20191024000000 20191003000000 36696 parsemail.org.
PbSfL1r+Guzq4cDn26bOKeNYYI+Gv1W8Pq4jDnYlqHHOe1uG8hYeL3iU
XfMVVTjR80Fzaj2cavTFqxWjxcvp+nzbdGT3m3lbRFiasQnsW+KWpSOw
PbzYMr1PQAC8RQuKZkmRxqhXUV0L7oso762WUBfTPYKP7xha7RDtEsa1
idgqnCN+vasBCHA4mFx7tm73/0pKQsCEXC3ZIJkmD5iIHJR/hxdp7LfW
Cl0TC1ntdhwCblepjzJ525ZWBeA8FuB0ZzfHj2oNv0nDvZU2v+c90rMP
nijE6hzSkUnJC5vWZOGeJE0ONd2PBDHAc2SyZgOHmI3FnxQWTmT0Tg9s TOn+YA==
A 7 2 86400 20191024000000 20191003000000 21947 parsemail.org.
ehGATVrFl+qo9I7pmbb3WGRKCaWRR6ZvLr0vBq33Gcn3SAI9W7SumEyM
f/1seXhfGbZKtpP9ZmX0ZIP8hWkv56mZMpnfAYPLN6Pfs0Qmm5UT7/hY
UAast/yLmUmu58cHKgSUdzKQt0cufw1nrVIuAlzRNa4PsH0+19Jg/ucS tfM=
164.132.228.175
root at ned:~#

So the ZSK was removed, but now the output lists the new ZSK as a CSK,
and I'm still getting 2 RRSIGs. What have I done wrong or missed?

Regards,

Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20191014/7656f175/attachment.sig>


More information about the Pdns-users mailing list