CSK deactivated too early when rolling to KSK+ZSK policy
With Knot 2.6.7, let there be a zone with a CSK, having a secure delegation:
# dig zone.66.acad.cz dnskey +dnssec +multi
; <<>> DiG 9.10.3-P4-Debian <<>> zone.66.acad.cz dnskey +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16303
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;zone.66.acad.cz. IN DNSKEY
;; ANSWER SECTION:
zone.66.acad.cz. 60 IN DNSKEY 257 3 13 (
PMKxlJcyu+72MFU/7Bb+a9VI5fkSyJ/RITuzgYnCGC9e
3My96ThEsFtJQunWpSvpOI7X2GZ/xhts8N+6/xDjaQ==
) ; KSK; alg = ECDSAP256SHA256; key id = 50801
zone.66.acad.cz. 60 IN RRSIG DNSKEY 13 4 60 (
20180624161108 20180624124108 50801 zone.66.acad.cz.
0Aa/hizP73s/q6qiU/yKzAwM/LX+UjU+6bEm+gai7Pk6
Kth6l8A0graQYIMw4HD0czviFt1D9qRouG/iqmVpsA== )
# keymgr zone.66.acad.cz list
08cd5137185f4333e42b1c046cf29e684b771c86 ksk=yes zsk=yes tag=50801 algorithm=13 public-only=no created=1529849198 pre-active=0 publish=1529849198 ready=1529849208 active=1529849448 retire-active=0 retire=0 post-active=0 remove=0
# cat knot.conf
… irrelevant parts ommited …
policy:
- id: ecdsa_fast
ksk-shared: on
zsk-lifetime: 1h
ksk-lifetime: 5h
propagation-delay: 10s
rrsig-lifetime: 2h
rrsig-refresh: 1h
ksk-submission: local_resolver
single-type-signing: off
- id: ecdsa_fast_single
ksk-shared: on
zsk-lifetime: 1h
ksk-lifetime: 5h
propagation-delay: 10s
rrsig-lifetime: 2h
rrsig-refresh: 1h
single-type-signing: on
ksk-submission: local_resolver
zone:
- domain: "zone.66.acad.cz"
template: mastersign
dnssec-policy: ecdsa_fast_single
file: "/etc/knot/%s.zone"
zonefile-sync: -1
zonefile-load: difference
dnssec-signing: on
dnssec-policy: manual
acl: acl_slaveLet's suppose we want to migrate to ZSK + KSK signing. So we switch to a different policy, which only differs in single-type-signing: option. In system log, the change goes like this:
Jun 24 16:15:01 n66.clones.cesnet.cz knotd[4246]: info: configuration reloaded
Jun 24 16:15:01 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, signing zone
Jun 24 16:15:01 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, signing scheme rollover started
Jun 24 16:15:01 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, key, tag 50801, algorithm ECDSAP256SHA256, CSK, public, active
Jun 24 16:15:01 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, key, tag 30240, algorithm ECDSAP256SHA256, KSK, public
Jun 24 16:15:01 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, key, tag 4, algorithm ECDSAP256SHA256, public
Jun 24 16:15:01 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, signing started
Jun 24 16:15:01 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, successfully signed
Jun 24 16:15:01 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, next signing at 2018-06-24T16:15:11
Jun 24 16:15:11 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, signing zone
Jun 24 16:15:11 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, key, tag 50801, algorithm ECDSAP256SHA256, CSK, public, active
Jun 24 16:15:11 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, key, tag 30240, algorithm ECDSAP256SHA256, KSK, public, ready, active
Jun 24 16:15:11 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, key, tag 4, algorithm ECDSAP256SHA256, public, active
Jun 24 16:15:11 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, signing started
Jun 24 16:15:11 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, successfully signed
Jun 24 16:15:11 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, next signing at 2018-06-24T16:15:21
Jun 24 16:15:11 n66.clones.cesnet.cz knotd[4246]: notice: [zone.66.acad.cz.] DNSSEC, KSK submission, waiting for confirmation
Jun 24 16:15:11 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] parent DS check, outgoing, 2001:718::53@53: KSK submission attempt: negativePlease note that new the KSK has been submitted, but the DS record has not been updated yet…
Jun 24 16:15:21 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, signing zone
Jun 24 16:15:21 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, key, tag 50801, algorithm ECDSAP256SHA256, CSK, public
Jun 24 16:15:21 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, key, tag 30240, algorithm ECDSAP256SHA256, KSK, public, ready, active
Jun 24 16:15:21 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, key, tag 4, algorithm ECDSAP256SHA256, public, active
Jun 24 16:15:21 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, signing started
Jun 24 16:15:21 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, successfully signed
Jun 24 16:15:21 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, next signing at 2018-06-24T16:15:31At this moment, the zone becomes bogus because the DNSKEY RR is no longer signed by CSK with id=50801.
Jun 24 16:15:31 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, signing zone
Jun 24 16:15:31 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, key, tag 30240, algorithm ECDSAP256SHA256, KSK, public, ready, active
Jun 24 16:15:31 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, key, tag 4, algorithm ECDSAP256SHA256, public, active
Jun 24 16:15:31 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, signing started
Jun 24 16:15:31 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, successfully signed
Jun 24 16:15:31 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] DNSSEC, next signing at 2018-06-24T17:15:11Now, the CSK key is even cleared from the zone, even though it is still referenced by parent DS record. Even though the rollover is finished, the parent DS check keeps running:
Jun 24 16:17:11 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] parent DS check, outgoing, 2001:718::53@53: KSK submission attempt: negative
Jun 24 16:18:11 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] parent DS check, outgoing, 2001:718::53@53: KSK submission attempt: negative
Jun 24 16:19:11 n66.clones.cesnet.cz knotd[4246]: info: [zone.66.acad.cz.] parent DS check, outgoing, 2001:718::53@53: KSK submission attempt: negativeWhen rolling in the opposite direction – from ZSK+KSK to CSK – no issue is observed.