DNSSEC issues on bind918

W

wisdown

Hey people,

In the previous version of bind I used bash scripts in crontab to automate the entire process of creating the KSK and ZSK keys, unfortunately due to the new Police feature this automation of mine is no longer valid.
I installed the new version of bind and I needed to reconfigure it, but I found the following issues:


1 - KSK and ZSK parameters need to be uppercase

Bind's documentation page about this new feature uses the following example to have both keys:
Code: 
dnssec-policy "myway" {
    keys {
        ksk lifetime unlimited algorithm rsasha256 2048;
        zsk lifetime P60D algorithm rsasha256 1024;
    };
};

zone "example.com" {
    dnssec-policy myway;
};

Using lowercase ksk and zsk as in the example will result in the following error:
Code: 
dnssec-policy: algorithm 13 requires both KSK and ZSK roles
In my case I am using something similar to:
Code: 
dnssec-policy "myway" {
    keys {
        KSK key-directory lifetime P180D algorithm 14;
        ZSK key-directory lifetime P30D algorithm 13;
    };
};
2 - Is not generating KSK

After changing the example to KSK and ZSK (uppercase), the KSK key is not generated, but two ZSK keys
Has anyone else had these problems?
 
Your configuration has different algorithm for KSK and ZSK (which is against "algorithm 13 requires both KSK and ZSK roles").

This should pass named-checkconf:
Code: 
dnssec-policy "myway" {
    keys {
        KSK key-directory lifetime P180D algorithm 13; /* 13=ECDSAP256SHA256 */
        ZSK key-directory lifetime P30D algorithm 13;
    };
};

With dnssec-policy enabled one also has to provide write access to key-directory (and the key files) for bind.
 
Sorry for the delay.

The problem occours using same algorithm too on both versions of Bind.

Reading an bit more the docs, if I understood it correctly, seems the new key format CSC should be default and because this there no more KSK with ZSK, instead there the CSC with NSEC3.

The old way I was using it was to use scripts in the shell with crontab to make the keys manually and send the public key data to me by email, so I didn't need to login to the DNS server, but with automatic signing by Bind, simply log in to the registrar and enter the public key. This new approach to policy doesn't allow auto-signing the way I was using it, so now it looks like I have to script each step manually.
 
Last edited:
You must log in or register to reply here.
Back
Top