[Pdns-users] Trouble rolling a ZSK

Pieter Lexis pieter.lexis at powerdns.com
Mon Oct 14 15:56:30 UTC 2019 

Hi Mike,

I spotted something that *might* be root of your issue (and perhaps a
small bug on our end).

On 10/14/19 9:54 AM, Mike Cardwell wrote:
> root at ned:~# pdnsutil add-zone-key parsemail.org zsk 1024 active rsasha1
> Added a ZSK with algorithm = 5, active=1
> Requested specific key size of 1024 bits
> 3
> root at ned:~# pdnsutil list-keys
> Zone                          Type    Size    Algorithm    ID   Locatio
> n    Keytag
> ---------------------------------------------------------------------
> -------------
> parsemail.org                 ZSK     1024    RSASHA1-NSEC3-SHA1
> 2    cryptokeys  8897
> parsemail.org                 ZSK     1024    RSASHA1-NSEC3-SHA1
> 3    cryptokeys  21947
> parsemail.org                 KSK     2048    RSASHA1-NSEC3-SHA1
> 1    cryptokeys  36696

A key with algo 5 (rsasha1) is created, but it looks like your zone uses
NSEC3, meaning PowerDNS will 'fake' algorithm 7 (Algorithm 5 can't be
used with NSEC3).

Could you verify with an SQL query (`select * from cryptokeys`) that the
existing keys are algo 7 in the database and the new one is 5?

> root at ned:~# pdnsutil list-keys
> Zone                          Type    Size    Algorithm    ID   Locatio
> n    Keytag
> ---------------------------------------------------------------------
> -------------
> parsemail.org                 CSK     2048    RSASHA1-NSEC3-SHA1
> 1    cryptokeys  36696
> parsemail.org                 CSK     1024    RSASHA1-NSEC3-SHA1
> 3    cryptokeys  21947
>
> So the ZSK was removed, but now the output lists the new ZSK as a CSK,
> and I'm still getting 2 RRSIGs. What have I done wrong or missed?

I *think* this might be the mix of algo 5 and 7 in the database. Can you
try to create the new key like this:

  pdnsutil add-zone-key parsemail.org zsk 1024 active rsasha1-nsec3-sha1

and test if you indeed see a good KSK/ZSK split? If so, there might be
some logic missing in handling the 'automatic' upgrade from algo 5 to 7
in NSEC3 zones.

Best regards,

Pieter


-- 
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20191014/ed50167c/attachment.sig>

More information about the Pdns-users mailing list