[Pdns-users] Trouble rolling a ZSK
Mike Cardwell
pdns-users at lists.grepular.com
Mon Oct 14 09:20:17 UTC 2019
On Mon, 2019-10-14 at 10:57 +0200, Gert van Dijk wrote:
> On Mon, Oct 14, 2019 at 9:54 AM Mike Cardwell
> <pdns-users at lists.grepular.com> wrote:
> > I'm looking into migrating from Bind9 to PowerDNS. [...]
>
> Have you seen the instructions on how to perform a ZSK rollover [1]?
> I
> don't see that you invoke the {activate,deactivate}-zone-key or the
> soa serial number update. (Not sure if you need a rectify-zone
> command
> too though.)
Yeah, I read those instructions. I didn't do the activate/deactivate
step though as it wasn't necessary, as I added the key as active
immediately. I've just repeated the process but this time adding the
key as inactive. Now, as soon as I deactivate the old key, the list
switches from "KSK+ZSK+ZSK" to "CSK+CSK+CSK":
root at ned:~# pdnsutil add-zone-key parsemail.org zsk 1024 inactive
rsasha1
Added a ZSK with algorithm = 5, active=0
Requested specific key size of 1024 bits
3
root at ned:~# pdnsutil list-keys
Zone Type Size Algorithm ID Locatio
n Keytag
---------------------------------------------------------------------
-------------
parsemail.org ZSK 1024 RSASHA1-NSEC3-SHA1
2 cryptokeys 8897
parsemail.org ZSK 1024 RSASHA1-NSEC3-SHA1
3 cryptokeys 58769
parsemail.org KSK 2048 RSASHA1-NSEC3-SHA1
1 cryptokeys 36696
root at ned:~# pdnsutil activate-zone-key parsemail.org 3
root at ned:~# pdnsutil list-keys
Zone Type Size Algorithm ID Locatio
n Keytag
---------------------------------------------------------------------
-------------
parsemail.org ZSK 1024 RSASHA1-NSEC3-SHA1
2 cryptokeys 8897
parsemail.org ZSK 1024 RSASHA1-NSEC3-SHA1
3 cryptokeys 58769
parsemail.org KSK 2048 RSASHA1-NSEC3-SHA1
1 cryptokeys 36696
root at ned:~# pdnsutil deactivate-zone-key parsemail.org 2
root at ned:~# pdnsutil list-keys
Zone Type Size Algorithm ID Locatio
n Keytag
---------------------------------------------------------------------
-------------
parsemail.org CSK 2048 RSASHA1-NSEC3-SHA1
1 cryptokeys 36696
parsemail.org CSK 1024 RSASHA1-NSEC3-SHA1
2 cryptokeys 8897
parsemail.org CSK 1024 RSASHA1-NSEC3-SHA1
3 cryptokeys 58769
root at ned:~# pdnsutil rectify-zone parsemail.org
Adding NSEC3 hashed ordering information for 'parsemail.org'
root at ned:~# pdnsutil list-keys
Zone Type Size Algorithm ID Locatio
n Keytag
---------------------------------------------------------------------
-------------
parsemail.org CSK 2048 RSASHA1-NSEC3-SHA1
1 cryptokeys 36696
parsemail.org CSK 1024 RSASHA1-NSEC3-SHA1
2 cryptokeys 8897
parsemail.org CSK 1024 RSASHA1-NSEC3-SHA1
3 cryptokeys 58769
root at ned:~# pdnsutil remove-zone-key parsemail.org 2
root at ned:~# pdnsutil list-keys
Zone Type Size Algorithm ID Locatio
n Keytag
---------------------------------------------------------------------
-------------
parsemail.org CSK 2048 RSASHA1-NSEC3-SHA1
1 cryptokeys 36696
parsemail.org CSK 1024 RSASHA1-NSEC3-SHA1
3 cryptokeys 58769
root at ned:~# pdnsutil rectify-zone parsemail.org
Adding NSEC3 hashed ordering information for 'parsemail.org'
root at ned:~# pdnsutil list-keys
Zone Type Size Algorithm ID Locatio
n Keytag
---------------------------------------------------------------------
-------------
parsemail.org CSK 2048 RSASHA1-NSEC3-SHA1
1 cryptokeys 36696
parsemail.org CSK 1024 RSASHA1-NSEC3-SHA1
3 cryptokeys 58769
root at ned:~#
> That your ZSK/KSK is listed as CSK sounds like a bug to me, though.
> What is your pdns version?
root at ned:~# dpkg -l|grep -i pdns
ii pdns-backend-sqlite3 4.1.6-
3 amd64 sqlite 3 backend for PowerDNS
ii pdns-server 4.1.6-
3 amd64 extremely powerful and versatile
nameserver
root at ned:~#
The standard Debian 10 (Buster) 4.1.6-3 release.
Regards,
Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20191014/87d96d7c/attachment.sig>
More information about the Pdns-users
mailing list