Old Key is being used after an Algorithm Rollover with a Shared Policy
This is a follow up to the problem that we tried to pin down on the mailing list over the last few months.
Summary
After we performed an algorithm rollover in our knot instance, we noticed that old key algorithms were still being used for newly signed zones.
The issue seems to be caused by removing a signed zone, performing the algorithm rollover and adding a new signed zone, when the configuration states that the zones should use a shared key policy.
Environment
We were able to reproduce this issue with knot v3.0.4 in an isolated docker environment on alpine linux.
# knotc --version
knotc (Knot DNS), version 3.0.4# cat /etc/*-release
3.13.0
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.13.0
PRETTY_NAME="Alpine Linux v3.13"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"Steps to Reproduce
Step 1: Start knot with a signed zone zonetransfer.me, shared policy, RSASHA256
Contents of knot.conf:
server:
listen: ::@8053
listen: 0.0.0.0@8053
log:
- target: /var/log/knot.log
any: info
control:
listen: /var/run/knot/knot.sock
remote:
- id: local-resolver
address: 192.168.1.2
- id: zonetransfer.me.primary
address: 81.4.108.41@53 # nsztm1.digi.ninja.
address: 34.225.33.2@53 # nsztm2.digi.ninja.
acl:
- id: zonetransfer.me.primary
address: 81.4.108.41 # nsztm1.digi.ninja.
address: 34.225.33.2 # nsztm2.digi.ninja.
action: notify
submission:
- id: resolver
parent: local-resolver
policy:
- id: shared
algorithm: RSASHA256
ksk-size: 2048
zsk-size: 1024
zsk-lifetime: 14d
ksk-lifetime: 28d
ksk-submission: resolver
nsec3: true
cds-cdnskey-publish: always
ksk-shared: true
- id: unsigned
algorithm: RSASHA256
ksk-size: 2048
zsk-size: 1024
zsk-lifetime: 14d
ksk-lifetime: 28d
nsec3: true
cds-cdnskey-publish: delete-dnssec
ksk-shared: true
template:
- id: default
semantic-checks: on
global-module: mod-stats
serial-policy: unixtime
dnssec-signing: off
zonefile-load: difference
- id: signed
dnssec-signing: on
dnssec-policy: shared
serial-policy: unixtime
zonefile-load: difference
- id: unsigned
dnssec-signing: on
dnssec-policy: unsigned
serial-policy: unixtime
zonefile-load: difference
zone:
- domain: zonetransfer.me
master: zonetransfer.me.primary
acl: zonetransfer.me.primary
template: signedContents of /var/log/knot.log:
2021-03-18T12:28:11+0000 info: Knot DNS 3.0.4 starting
2021-03-18T12:28:11+0000 info: loaded configuration file '/var/lib/knot/knot.conf'
2021-03-18T12:28:11+0000 info: using reuseport for UDP
2021-03-18T12:28:11+0000 info: binding to interface ::@8053
2021-03-18T12:28:11+0000 info: binding to interface 0.0.0.0@8053
2021-03-18T12:28:11+0000 info: loading 1 zones
2021-03-18T12:28:11+0000 info: [zonetransfer.me.] zone will be loaded
2021-03-18T12:28:11+0000 info: starting server
2021-03-18T12:28:11+0000 info: [zonetransfer.me.] failed to parse zone file (not exists)
2021-03-18T12:28:11+0000 info: server started in the foreground, PID 7
2021-03-18T12:28:11+0000 info: control, binding to '/var/run/knot/knot.sock'
2021-03-18T12:28:11+0000 info: [zonetransfer.me.] AXFR, incoming, remote 81.4.108.41@53, started
2021-03-18T12:28:11+0000 info: [zonetransfer.me.] AXFR, incoming, remote 81.4.108.41@53, finished, 0.00 seconds, 1 messages, 1994 bytes
2021-03-18T12:28:11+0000 notice: [zonetransfer.me.] DNSSEC, KSK submission, waiting for confirmation
2021-03-18T12:28:11+0000 info: [zonetransfer.me.] DNSSEC, key, tag 58870, algorithm RSASHA256, KSK, public, ready, active+
2021-03-18T12:28:11+0000 info: [zonetransfer.me.] DNSSEC, key, tag 14859, algorithm RSASHA256, public, active
2021-03-18T12:28:11+0000 info: [zonetransfer.me.] DNSSEC, signing started
2021-03-18T12:28:12+0000 info: [zonetransfer.me.] DNSSEC, successfully signed
2021-03-18T12:28:12+0000 info: [zonetransfer.me.] DNSSEC, next signing at 2021-03-25T12:28:11+0000
2021-03-18T12:28:12+0000 info: [zonetransfer.me.] refresh, remote 81.4.108.41@53, zone updated, 0.35 seconds, serial none -> 2019100802, remote serial 2019100801
2021-03-18T12:28:12+0000 info: [zonetransfer.me.] zone file updated, serial 2019100802
2021-03-18T12:28:17+0000 warning: [zonetransfer.me.] DS check, outgoing, remote 192.168.1.2@53, failed (connection reset)keymgr Output:
# keymgr -c /var/lib/knot/knot.conf zonetransfer.me list
4c60209f570722443d56c073a22bced1eb864d5e ksk=yes zsk=no tag=58870 algorithm=8 size=2048 public-only=no pre-active=0 publish=1616070491 ready=1616070491 active=0 retire-active=0 retire=0 post-active=0 revoke=0 remove=0
97d0ee5c956e017f0386fb1fc4b12beee3846a30 ksk=no zsk=yes tag=14859 algorithm=8 size=1024 public-only=no pre-active=0 publish=1616070491 ready=0 active=1616070491 retire-active=0 retire=0 post-active=0 revoke=0 remove=0Step 2: Remove the signed template from zonetransfer.me
Contents of knot.conf:
server:
listen: ::@8053
listen: 0.0.0.0@8053
log:
- target: /var/log/knot.log
any: info
control:
listen: /var/run/knot/knot.sock
remote:
- id: local-resolver
address: 192.168.1.2
- id: zonetransfer.me.primary
address: 81.4.108.41@53 # nsztm1.digi.ninja.
address: 34.225.33.2@53 # nsztm2.digi.ninja.
acl:
- id: zonetransfer.me.primary
address: 81.4.108.41 # nsztm1.digi.ninja.
address: 34.225.33.2 # nsztm2.digi.ninja.
action: notify
submission:
- id: resolver
parent: local-resolver
policy:
- id: shared
algorithm: RSASHA256
ksk-size: 2048
zsk-size: 1024
zsk-lifetime: 14d
ksk-lifetime: 28d
ksk-submission: resolver
nsec3: true
cds-cdnskey-publish: always
ksk-shared: true
- id: unsigned
algorithm: RSASHA256
ksk-size: 2048
zsk-size: 1024
zsk-lifetime: 14d
ksk-lifetime: 28d
nsec3: true
cds-cdnskey-publish: delete-dnssec
ksk-shared: true
template:
- id: default
semantic-checks: on
global-module: mod-stats
serial-policy: unixtime
dnssec-signing: off
zonefile-load: difference
- id: signed
dnssec-signing: on
dnssec-policy: shared
serial-policy: unixtime
zonefile-load: difference
- id: unsigned
dnssec-signing: on
dnssec-policy: unsigned
serial-policy: unixtime
zonefile-load: difference
zone:
- domain: zonetransfer.me
master: zonetransfer.me.primary
acl: zonetransfer.me.primaryUpdates in /var/log/knot.log
2021-03-18T12:30:24+0000 info: control, received command 'reload'
2021-03-18T12:30:24+0000 info: reloading configuration file '/var/lib/knot/knot.conf'
2021-03-18T12:30:24+0000 info: configuration reloadedKeymgr Output:
# keymgr -c /var/lib/knot/knot.conf zonetransfer.me list
4c60209f570722443d56c073a22bced1eb864d5e ksk=yes zsk=no tag=58870 algorithm=8 size=2048 public-only=no pre-active=0 publish=1616070491 ready=1616070491 active=0 retire-active=0 retire=0 post-active=0 revoke=0 remove=0
97d0ee5c956e017f0386fb1fc4b12beee3846a30 ksk=no zsk=yes tag=14859 algorithm=8 size=1024 public-only=no pre-active=0 publish=1616070491 ready=0 active=1616070491 retire-active=0 retire=0 post-active=0 revoke=0 remove=0Step 3: Update algorithm to RSASHA512 and add a new signed zone
Contents of zonetransfer1.me.zone:
;; Zone dump (Knot DNS 3.0.4)
zonetransfer1.me. 7200 SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100803 172800 900 1209600 3600
zonetransfer1.me. 7200 NS nsztm1.digi.ninja.
zonetransfer1.me. 7200 NS nsztm2.digi.ninja.
;; Written 271 records
;; Time 2021-03-16 15:11:07 UTCContents of knot.conf:
server:
listen: ::@8053
listen: 0.0.0.0@8053
log:
- target: /var/log/knot.log
any: info
control:
listen: /var/run/knot/knot.sock
remote:
- id: local-resolver
address: 192.168.1.2
- id: zonetransfer.me.primary
address: 81.4.108.41@53 # nsztm1.digi.ninja.
address: 34.225.33.2@53 # nsztm2.digi.ninja.
acl:
- id: zonetransfer.me.primary
address: 81.4.108.41 # nsztm1.digi.ninja.
address: 34.225.33.2 # nsztm2.digi.ninja.
action: notify
submission:
- id: resolver
parent: local-resolver
policy:
- id: shared
algorithm: RSASHA512
ksk-size: 2048
zsk-size: 1024
zsk-lifetime: 30d
ksk-lifetime: 365d
ksk-submission: resolver
nsec3: true
cds-cdnskey-publish: always
ksk-shared: true
- id: unsigned
algorithm: RSASHA512
ksk-size: 2048
zsk-size: 1024
zsk-lifetime: 30d
ksk-lifetime: 365d
nsec3: true
cds-cdnskey-publish: delete-dnssec
ksk-shared: true
template:
- id: default
semantic-checks: on
global-module: mod-stats
serial-policy: unixtime
dnssec-signing: off
zonefile-load: difference
- id: signed
dnssec-signing: on
dnssec-policy: shared
serial-policy: unixtime
zonefile-load: difference
- id: unsigned
dnssec-signing: on
dnssec-policy: unsigned
serial-policy: unixtime
zonefile-load: difference
zone:
- domain: zonetransfer.me
master: zonetransfer.me.primary
acl: zonetransfer.me.primary
- domain: zonetransfer1.me
template: signedUpdates in /var/log/knot.log:
2021-03-18T12:32:13+0000 info: control, received command 'reload'
2021-03-18T12:32:13+0000 info: reloading configuration file '/var/lib/knot/knot.conf'
2021-03-18T12:32:13+0000 info: [zonetransfer1.me.] zone will be loaded
2021-03-18T12:32:13+0000 info: configuration reloaded
2021-03-18T12:32:13+0000 info: [zonetransfer1.me.] zone file parsed, serial 2019100803
2021-03-18T12:32:13+0000 notice: [zonetransfer1.me.] DNSSEC, KSK submission, waiting for confirmation
2021-03-18T12:32:13+0000 info: [zonetransfer1.me.] DNSSEC, key, tag 58870, algorithm RSASHA256, KSK, public, ready, active+
2021-03-18T12:32:13+0000 info: [zonetransfer1.me.] DNSSEC, key, tag 64377, algorithm RSASHA512, public, active
2021-03-18T12:32:13+0000 error: [zonetransfer1.me.] DNSSEC, keys validation failed (missing active KSK or ZSK)
2021-03-18T12:32:13+0000 error: [zonetransfer1.me.] DNSSEC, failed to load keys (missing active KSK or ZSK)
2021-03-18T12:32:13+0000 error: [zonetransfer1.me.] zone event 'load' failed (missing active KSK or ZSK)Keymgr Output:
# keymgr -c /var/lib/knot/knot.conf zonetransfer.me list
4c60209f570722443d56c073a22bced1eb864d5e ksk=yes zsk=no tag=58870 algorithm=8 size=2048 public-only=no pre-active=0 publish=1616070491 ready=1616070491 active=0 retire-active=0 retire=0 post-active=0 revoke=0 remove=0
97d0ee5c956e017f0386fb1fc4b12beee3846a30 ksk=no zsk=yes tag=14859 algorithm=8 size=1024 public-only=no pre-active=0 publish=1616070491 ready=0 active=1616070491 retire-active=0 retire=0 post-active=0 revoke=0 remove=0
# keymgr -c /var/lib/knot/knot.conf zonetransfer1.me list
2e131dc0d11cb9d86492f024d52685279dcdeedf ksk=no zsk=yes tag=64377 algorithm=10 size=1024 public-only=no pre-active=0 publish=1616070733 ready=0 active=1616070733 retire-active=0 retire=0 post-active=0 revoke=0 remove=0
4c60209f570722443d56c073a22bced1eb864d5e ksk=yes zsk=no tag=58870 algorithm=8 size=2048 public-only=no pre-active=0 publish=1616070733 ready=1616070733 active=0 retire-active=0 retire=0 post-active=0 revoke=0 remove=0