[Pdns-users] Trouble rolling a ZSK

Mike Cardwell pdns-users at lists.grepular.com
Mon Oct 14 09:20:17 UTC 2019


On Mon, 2019-10-14 at 10:57 +0200, Gert van Dijk wrote:
> On Mon, Oct 14, 2019 at 9:54 AM Mike Cardwell
> <pdns-users at lists.grepular.com> wrote:
> > I'm looking into migrating from Bind9 to PowerDNS. [...]
> 
> Have you seen the instructions on how to perform a ZSK rollover [1]?
> I
> don't see that you invoke the {activate,deactivate}-zone-key or the
> soa serial number update. (Not sure if you need a rectify-zone
> command
> too though.)

Yeah, I read those instructions. I didn't do the activate/deactivate
step though as it wasn't necessary, as I added the key as active
immediately. I've just repeated the process but this time adding the
key as inactive. Now, as soon as I deactivate the old key, the list
switches from "KSK+ZSK+ZSK" to "CSK+CSK+CSK":

root at ned:~# pdnsutil add-zone-key parsemail.org zsk 1024 inactive
rsasha1
Added a ZSK with algorithm = 5, active=0
Requested specific key size of 1024 bits
3
root at ned:~# pdnsutil list-keys
Zone                          Type    Size    Algorithm    ID   Locatio
n    Keytag
---------------------------------------------------------------------
-------------
parsemail.org                 ZSK     1024    RSASHA1-NSEC3-SHA1
2    cryptokeys  8897
parsemail.org                 ZSK     1024    RSASHA1-NSEC3-SHA1
3    cryptokeys  58769
parsemail.org                 KSK     2048    RSASHA1-NSEC3-SHA1
1    cryptokeys  36696
root at ned:~# pdnsutil activate-zone-key parsemail.org 3
root at ned:~# pdnsutil list-keys
Zone                          Type    Size    Algorithm    ID   Locatio
n    Keytag
---------------------------------------------------------------------
-------------
parsemail.org                 ZSK     1024    RSASHA1-NSEC3-SHA1
2    cryptokeys  8897
parsemail.org                 ZSK     1024    RSASHA1-NSEC3-SHA1
3    cryptokeys  58769
parsemail.org                 KSK     2048    RSASHA1-NSEC3-SHA1
1    cryptokeys  36696
root at ned:~# pdnsutil deactivate-zone-key parsemail.org 2
root at ned:~# pdnsutil list-keys
Zone                          Type    Size    Algorithm    ID   Locatio
n    Keytag
---------------------------------------------------------------------
-------------
parsemail.org                 CSK     2048    RSASHA1-NSEC3-SHA1
1    cryptokeys  36696
parsemail.org                 CSK     1024    RSASHA1-NSEC3-SHA1
2    cryptokeys  8897
parsemail.org                 CSK     1024    RSASHA1-NSEC3-SHA1
3    cryptokeys  58769
root at ned:~# pdnsutil rectify-zone parsemail.org
Adding NSEC3 hashed ordering information for 'parsemail.org'
root at ned:~# pdnsutil list-keys
Zone                          Type    Size    Algorithm    ID   Locatio
n    Keytag
---------------------------------------------------------------------
-------------
parsemail.org                 CSK     2048    RSASHA1-NSEC3-SHA1
1    cryptokeys  36696
parsemail.org                 CSK     1024    RSASHA1-NSEC3-SHA1
2    cryptokeys  8897
parsemail.org                 CSK     1024    RSASHA1-NSEC3-SHA1
3    cryptokeys  58769
root at ned:~# pdnsutil remove-zone-key parsemail.org 2
root at ned:~# pdnsutil list-keys
Zone                          Type    Size    Algorithm    ID   Locatio
n    Keytag
---------------------------------------------------------------------
-------------
parsemail.org                 CSK     2048    RSASHA1-NSEC3-SHA1
1    cryptokeys  36696
parsemail.org                 CSK     1024    RSASHA1-NSEC3-SHA1
3    cryptokeys  58769
root at ned:~# pdnsutil rectify-zone parsemail.org
Adding NSEC3 hashed ordering information for 'parsemail.org'
root at ned:~# pdnsutil list-keys
Zone                          Type    Size    Algorithm    ID   Locatio
n    Keytag
---------------------------------------------------------------------
-------------
parsemail.org                 CSK     2048    RSASHA1-NSEC3-SHA1
1    cryptokeys  36696
parsemail.org                 CSK     1024    RSASHA1-NSEC3-SHA1
3    cryptokeys  58769
root at ned:~# 


> That your ZSK/KSK is listed as CSK sounds like a bug to me, though.
> What is your pdns version?

root at ned:~# dpkg -l|grep -i pdns
ii  pdns-backend-sqlite3                 4.1.6-
3                      amd64        sqlite 3 backend for PowerDNS
ii  pdns-server                          4.1.6-
3                      amd64        extremely powerful and versatile
nameserver
root at ned:~#

The standard Debian 10 (Buster) 4.1.6-3 release.

Regards,

Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20191014/87d96d7c/attachment.sig>


More information about the Pdns-users mailing list