Old Key is being used after an Algorithm Rollover with a Shared Policy (#721) · Issues · Knot projects / Knot DNS

Old Key is being used after an Algorithm Rollover with a Shared Policy

_This is a follow up to the problem that we tried to pin down on the [mailing list](https://lists.nic.cz/pipermail/knot-dns-users/2021-March/001972.html) over the last few months._ # Summary After we performed an algorithm rollover in our knot instance, we noticed that old key algorithms were still being used for newly signed zones. The issue seems to be caused by removing a signed zone, performing the algorithm rollover and adding a new signed zone, when the configuration states that the zones should use a shared key policy. # Environment We were able to reproduce this issue with knot v3.0.4 in an isolated docker environment on alpine linux. ``` # knotc --version knotc (Knot DNS), version 3.0.4 ``` ``` # cat /etc/*-release 3.13.0 NAME="Alpine Linux" ID=alpine VERSION_ID=3.13.0 PRETTY_NAME="Alpine Linux v3.13" HOME_URL="https://alpinelinux.org/" BUG_REPORT_URL="https://bugs.alpinelinux.org/" ``` # Steps to Reproduce ## Step 1: Start knot with a signed zone zonetransfer.me, shared policy, RSASHA256 Contents of knot.conf: ``` server: listen: ::@8053 listen: 0.0.0.0@8053 log: - target: /var/log/knot.log any: info control: listen: /var/run/knot/knot.sock remote: - id: local-resolver address: 192.168.1.2 - id: zonetransfer.me.primary address: 81.4.108.41@53 # nsztm1.digi.ninja. address: 34.225.33.2@53 # nsztm2.digi.ninja. acl: - id: zonetransfer.me.primary address: 81.4.108.41 # nsztm1.digi.ninja. address: 34.225.33.2 # nsztm2.digi.ninja. action: notify submission: - id: resolver parent: local-resolver policy: - id: shared algorithm: RSASHA256 ksk-size: 2048 zsk-size: 1024 zsk-lifetime: 14d ksk-lifetime: 28d ksk-submission: resolver nsec3: true cds-cdnskey-publish: always ksk-shared: true - id: unsigned algorithm: RSASHA256 ksk-size: 2048 zsk-size: 1024 zsk-lifetime: 14d ksk-lifetime: 28d nsec3: true cds-cdnskey-publish: delete-dnssec ksk-shared: true template: - id: default semantic-checks: on global-module: mod-stats serial-policy: unixtime dnssec-signing: off zonefile-load: difference - id: signed dnssec-signing: on dnssec-policy: shared serial-policy: unixtime zonefile-load: difference - id: unsigned dnssec-signing: on dnssec-policy: unsigned serial-policy: unixtime zonefile-load: difference zone: - domain: zonetransfer.me master: zonetransfer.me.primary acl: zonetransfer.me.primary template: signed ``` Contents of /var/log/knot.log: ``` 2021-03-18T12:28:11+0000 info: Knot DNS 3.0.4 starting 2021-03-18T12:28:11+0000 info: loaded configuration file '/var/lib/knot/knot.conf' 2021-03-18T12:28:11+0000 info: using reuseport for UDP 2021-03-18T12:28:11+0000 info: binding to interface ::@8053 2021-03-18T12:28:11+0000 info: binding to interface 0.0.0.0@8053 2021-03-18T12:28:11+0000 info: loading 1 zones 2021-03-18T12:28:11+0000 info: [zonetransfer.me.] zone will be loaded 2021-03-18T12:28:11+0000 info: starting server 2021-03-18T12:28:11+0000 info: [zonetransfer.me.] failed to parse zone file (not exists) 2021-03-18T12:28:11+0000 info: server started in the foreground, PID 7 2021-03-18T12:28:11+0000 info: control, binding to '/var/run/knot/knot.sock' 2021-03-18T12:28:11+0000 info: [zonetransfer.me.] AXFR, incoming, remote 81.4.108.41@53, started 2021-03-18T12:28:11+0000 info: [zonetransfer.me.] AXFR, incoming, remote 81.4.108.41@53, finished, 0.00 seconds, 1 messages, 1994 bytes 2021-03-18T12:28:11+0000 notice: [zonetransfer.me.] DNSSEC, KSK submission, waiting for confirmation 2021-03-18T12:28:11+0000 info: [zonetransfer.me.] DNSSEC, key, tag 58870, algorithm RSASHA256, KSK, public, ready, active+ 2021-03-18T12:28:11+0000 info: [zonetransfer.me.] DNSSEC, key, tag 14859, algorithm RSASHA256, public, active 2021-03-18T12:28:11+0000 info: [zonetransfer.me.] DNSSEC, signing started 2021-03-18T12:28:12+0000 info: [zonetransfer.me.] DNSSEC, successfully signed 2021-03-18T12:28:12+0000 info: [zonetransfer.me.] DNSSEC, next signing at 2021-03-25T12:28:11+0000 2021-03-18T12:28:12+0000 info: [zonetransfer.me.] refresh, remote 81.4.108.41@53, zone updated, 0.35 seconds, serial none -> 2019100802, remote serial 2019100801 2021-03-18T12:28:12+0000 info: [zonetransfer.me.] zone file updated, serial 2019100802 2021-03-18T12:28:17+0000 warning: [zonetransfer.me.] DS check, outgoing, remote 192.168.1.2@53, failed (connection reset) ``` keymgr Output: ``` # keymgr -c /var/lib/knot/knot.conf zonetransfer.me list 4c60209f570722443d56c073a22bced1eb864d5e ksk=yes zsk=no tag=58870 algorithm=8 size=2048 public-only=no pre-active=0 publish=1616070491 ready=1616070491 active=0 retire-active=0 retire=0 post-active=0 revoke=0 remove=0 97d0ee5c956e017f0386fb1fc4b12beee3846a30 ksk=no zsk=yes tag=14859 algorithm=8 size=1024 public-only=no pre-active=0 publish=1616070491 ready=0 active=1616070491 retire-active=0 retire=0 post-active=0 revoke=0 remove=0 ``` ## Step 2: Remove the signed template from zonetransfer.me Contents of knot.conf: ``` server: listen: ::@8053 listen: 0.0.0.0@8053 log: - target: /var/log/knot.log any: info control: listen: /var/run/knot/knot.sock remote: - id: local-resolver address: 192.168.1.2 - id: zonetransfer.me.primary address: 81.4.108.41@53 # nsztm1.digi.ninja. address: 34.225.33.2@53 # nsztm2.digi.ninja. acl: - id: zonetransfer.me.primary address: 81.4.108.41 # nsztm1.digi.ninja. address: 34.225.33.2 # nsztm2.digi.ninja. action: notify submission: - id: resolver parent: local-resolver policy: - id: shared algorithm: RSASHA256 ksk-size: 2048 zsk-size: 1024 zsk-lifetime: 14d ksk-lifetime: 28d ksk-submission: resolver nsec3: true cds-cdnskey-publish: always ksk-shared: true - id: unsigned algorithm: RSASHA256 ksk-size: 2048 zsk-size: 1024 zsk-lifetime: 14d ksk-lifetime: 28d nsec3: true cds-cdnskey-publish: delete-dnssec ksk-shared: true template: - id: default semantic-checks: on global-module: mod-stats serial-policy: unixtime dnssec-signing: off zonefile-load: difference - id: signed dnssec-signing: on dnssec-policy: shared serial-policy: unixtime zonefile-load: difference - id: unsigned dnssec-signing: on dnssec-policy: unsigned serial-policy: unixtime zonefile-load: difference zone: - domain: zonetransfer.me master: zonetransfer.me.primary acl: zonetransfer.me.primary ``` Updates in /var/log/knot.log ``` 2021-03-18T12:30:24+0000 info: control, received command 'reload' 2021-03-18T12:30:24+0000 info: reloading configuration file '/var/lib/knot/knot.conf' 2021-03-18T12:30:24+0000 info: configuration reloaded ``` Keymgr Output: ``` # keymgr -c /var/lib/knot/knot.conf zonetransfer.me list 4c60209f570722443d56c073a22bced1eb864d5e ksk=yes zsk=no tag=58870 algorithm=8 size=2048 public-only=no pre-active=0 publish=1616070491 ready=1616070491 active=0 retire-active=0 retire=0 post-active=0 revoke=0 remove=0 97d0ee5c956e017f0386fb1fc4b12beee3846a30 ksk=no zsk=yes tag=14859 algorithm=8 size=1024 public-only=no pre-active=0 publish=1616070491 ready=0 active=1616070491 retire-active=0 retire=0 post-active=0 revoke=0 remove=0 ``` ## Step 3: Update algorithm to RSASHA512 and add a new signed zone Contents of zonetransfer1.me.zone: ``` ;; Zone dump (Knot DNS 3.0.4) zonetransfer1.me. 7200 SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100803 172800 900 1209600 3600 zonetransfer1.me. 7200 NS nsztm1.digi.ninja. zonetransfer1.me. 7200 NS nsztm2.digi.ninja. ;; Written 271 records ;; Time 2021-03-16 15:11:07 UTC ``` Contents of knot.conf: ``` server: listen: ::@8053 listen: 0.0.0.0@8053 log: - target: /var/log/knot.log any: info control: listen: /var/run/knot/knot.sock remote: - id: local-resolver address: 192.168.1.2 - id: zonetransfer.me.primary address: 81.4.108.41@53 # nsztm1.digi.ninja. address: 34.225.33.2@53 # nsztm2.digi.ninja. acl: - id: zonetransfer.me.primary address: 81.4.108.41 # nsztm1.digi.ninja. address: 34.225.33.2 # nsztm2.digi.ninja. action: notify submission: - id: resolver parent: local-resolver policy: - id: shared algorithm: RSASHA512 ksk-size: 2048 zsk-size: 1024 zsk-lifetime: 30d ksk-lifetime: 365d ksk-submission: resolver nsec3: true cds-cdnskey-publish: always ksk-shared: true - id: unsigned algorithm: RSASHA512 ksk-size: 2048 zsk-size: 1024 zsk-lifetime: 30d ksk-lifetime: 365d nsec3: true cds-cdnskey-publish: delete-dnssec ksk-shared: true template: - id: default semantic-checks: on global-module: mod-stats serial-policy: unixtime dnssec-signing: off zonefile-load: difference - id: signed dnssec-signing: on dnssec-policy: shared serial-policy: unixtime zonefile-load: difference - id: unsigned dnssec-signing: on dnssec-policy: unsigned serial-policy: unixtime zonefile-load: difference zone: - domain: zonetransfer.me master: zonetransfer.me.primary acl: zonetransfer.me.primary - domain: zonetransfer1.me template: signed ``` Updates in /var/log/knot.log: ``` 2021-03-18T12:32:13+0000 info: control, received command 'reload' 2021-03-18T12:32:13+0000 info: reloading configuration file '/var/lib/knot/knot.conf' 2021-03-18T12:32:13+0000 info: [zonetransfer1.me.] zone will be loaded 2021-03-18T12:32:13+0000 info: configuration reloaded 2021-03-18T12:32:13+0000 info: [zonetransfer1.me.] zone file parsed, serial 2019100803 2021-03-18T12:32:13+0000 notice: [zonetransfer1.me.] DNSSEC, KSK submission, waiting for confirmation 2021-03-18T12:32:13+0000 info: [zonetransfer1.me.] DNSSEC, key, tag 58870, algorithm RSASHA256, KSK, public, ready, active+ 2021-03-18T12:32:13+0000 info: [zonetransfer1.me.] DNSSEC, key, tag 64377, algorithm RSASHA512, public, active 2021-03-18T12:32:13+0000 error: [zonetransfer1.me.] DNSSEC, keys validation failed (missing active KSK or ZSK) 2021-03-18T12:32:13+0000 error: [zonetransfer1.me.] DNSSEC, failed to load keys (missing active KSK or ZSK) 2021-03-18T12:32:13+0000 error: [zonetransfer1.me.] zone event 'load' failed (missing active KSK or ZSK) ``` Keymgr Output: ``` # keymgr -c /var/lib/knot/knot.conf zonetransfer.me list 4c60209f570722443d56c073a22bced1eb864d5e ksk=yes zsk=no tag=58870 algorithm=8 size=2048 public-only=no pre-active=0 publish=1616070491 ready=1616070491 active=0 retire-active=0 retire=0 post-active=0 revoke=0 remove=0 97d0ee5c956e017f0386fb1fc4b12beee3846a30 ksk=no zsk=yes tag=14859 algorithm=8 size=1024 public-only=no pre-active=0 publish=1616070491 ready=0 active=1616070491 retire-active=0 retire=0 post-active=0 revoke=0 remove=0 # keymgr -c /var/lib/knot/knot.conf zonetransfer1.me list 2e131dc0d11cb9d86492f024d52685279dcdeedf ksk=no zsk=yes tag=64377 algorithm=10 size=1024 public-only=no pre-active=0 publish=1616070733 ready=0 active=1616070733 retire-active=0 retire=0 post-active=0 revoke=0 remove=0 4c60209f570722443d56c073a22bced1eb864d5e ksk=yes zsk=no tag=58870 algorithm=8 size=2048 public-only=no pre-active=0 publish=1616070733 ready=1616070733 active=0 retire-active=0 retire=0 post-active=0 revoke=0 remove=0 ```

issue

Admin message