[Pdns-users] Trouble rolling a ZSK
pieter.lexis at powerdns.com
Tue Oct 15 18:19:41 UTC 2019
On 10/15/19 9:23 AM, Mike Cardwell wrote:
> I think you've spotted the problem. I was running:
> $ pdnsutil add-zone-key parsemail.org zsk 1024 active rsasha1
> Which was creating a new ZSK with an algorithm of 5, when the old KSK
> and ZSK were both algorithm 7 in the db.
Right, so because of the wrong algo you got the 2 sigs (1 for each
"algo"). As we "upgrade" algo 5 to 7 for NSEC3 zones.
> When I append "-nsec3-sha1" to the algorithm arg, it started working
> $ pdnsutil add-zone-key parsemail.org zsk 1024 active rsasha1-nsec3-
Wonderful to hear!
> Not sure if this was my mistake, or a bug in the program, or a
> combination, but FWIW, the reason I used "rsasha1" as my argument
> instead of "rsasha1-nsec3-sha1" was because I felt like that was what
> the help output was telling me to do:
> root at ned:~# pdnsutil add-zone-key help
> Oct 15 08:17:55 Reading random entropy from '/dev/urandom'
> Syntax: pdnsutil add-zone-key ZONE zsk|ksk [BITS] [active|inactive]
It is 3 things:
1. The help output is indeed missing algo 7
2. You then created a key with the wrong algo
3. Our upgrade codepath from algo 5 to 7 is missing things
I've discussed this issue with our product owner and we're planning to
remove the algo 5 to algo 7 upgrade functionality in an upcoming
version, where some tools will be available to fix the database.
In the meantime, I've fixed the help output of pdnsutil.
1 - https://github.com/PowerDNS/pdns/pull/8420
PowerDNS.COM BV -- https://www.powerdns.com
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the Pdns-users