Skip to content
GitLab
Closed
Issue created by Sebastian Wiesinger@sebastianw

During algorithm rollover, old keys get removed bevore DS TTL expires

I was doing an algorithm rollover for the zone 6v6.de. This zone has a DNSKEY TTL of 3600 (1h). One hour after knot detected the DS change at the parent zone he removed the old keys from the zone even though the parent DS has a TTL of 86400 (1d). This made the zone bogus on resolvers that still had the old DS in cache:

Oct 24 13:02:03 alita unbound: [2897:0] info: validation failure <6v6.de. A IN>: no keys have a DS with algorithm RSASHA256 from 2a01:4f8:150:7142::53 for key 6v6.de. while building chain of trust
Oct 24 13:34:46 alita unbound: [2897:3] info: validation failure <6v6.de. MX IN>: no keys have a DS with algorithm RSASHA256 from 213.95.0.65 for key 6v6.de. while building chain of trust

From the resolver:

# dig @127.0.0.1 6v6.de DS

; <<>> DiG 9.11.4-P2-3~bpo9+1-Debian <<>> @127.0.0.1 6v6.de DS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7219
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;6v6.de.                                IN      DS

;; ANSWER SECTION:
6v6.de.                 73543   IN      DS      59381 8 2 82C73B71D5BD196F2AE555812D85E9766B90646EF922F2805D0F8FAC A9962F78

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Oct 24 13:36:20 CEST 2018
;; MSG SIZE  rcvd: 83

From the auth:

root@alita:/etc/knot# dig @a.nic.de 6v6.de DS

; <<>> DiG 9.11.4-P2-3~bpo9+1-Debian <<>> @a.nic.de 6v6.de DS
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41975
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 313801575f1130e40570e46c5bd0595daf3ff6745ed62ce1 (good)
;; QUESTION SECTION:
;6v6.de.                                IN      DS

;; ANSWER SECTION:
6v6.de.                 86400   IN      DS      54879 13 2 A944984935973E1F6B1F6F34C85D95D53D9F7BCFCD6DA52795061A49 0164AA11

;; Query time: 12 msec
;; SERVER: 2001:678:2::53#53(2001:678:2::53)
;; WHEN: Wed Oct 24 13:37:01 CEST 2018
;; MSG SIZE  rcvd: 111

This seems like an error to me, the old key should only be removed after the DS has expired from all caches. From RFC6781:

  DNSKEY removal:  After the cache data for the old DS RRset has
  expired, the old algorithm can be removed.  This time, the old key
  needs to be removed first, before removing the old signatures.

Knot version is: 2.7.2-2~bpo9+1 (Debian Stretch Backport)

Config for the zone:

submission:
  - id: tld_de
    parent: [a.nic.de, f.nic.de, l.de.net, n.de.net, s.de.net, z.nic.de]
    check-interval: 30m

policy:
  - id: ecdsap256-de
    algorithm: ecdsap256sha256
    ksk-submission: tld_de

template:
  - id: slave-dnssec-rsa-de
    storage: "/var/lib/knot/slave"
    file: "%s.zone"
    dnssec-signing: on
    dnssec-policy: ecdsap256-de
    master: ns1_signer
    notify: ns1
    acl: acl_ns1

zone:
- domain: 6v6.de
  template: slave-dnssec-rsa-de
  serial-policy: unixtime