2 Říj
2017
2 Říj
'17
17:35
Hi,
we have a DNSSEC enabled zone, for which knot serves RRSIGs with expire
date in the past (expired on Sept 13th) and signed by a no longer active
ZSK. The correct RRSIGs (uptodate and signed with the current ZSK) are
served as well, so the zone still works.
Is there a way to purge these outdated RRSIGs from the database?
Regards
André
3 Říj
3 Říj
4:54
André, how do you sign the zone? Is Knot DNS master or slave in your
configuration? Generally, the DNS server is agnostic to the contents of the
zone - whatever is there gets served.
Ondřej
On Mon, 2 Oct 2017, 17.35 André Keller, <ak(a)list.ak.cx> wrote:
Hi,
we have a DNSSEC enabled zone, for which knot serves RRSIGs with expire
date in the past (expired on Sept 13th) and signed by a no longer active
ZSK. The correct RRSIGs (uptodate and signed with the current ZSK) are
served as well, so the zone still works.
Is there a way to purge these outdated RRSIGs from the database?
Regards
André
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
--
Ondřej Surý <ondrej(a)sury.org>
8:52
Hi Ondřej,
On 03.10.2017 04:54, Ondřej Surý wrote:
André, how do you sign the zone? Is Knot DNS master or slave in your
configuration? Generally, the DNS server is agnostic to the contents
of the zone - whatever is there gets served.
Knot (2.5.4) is master and does the dnssec-signing. From the configuration:
policy:
- id: default_ecdsa
algorithm: ecdsap256sha256
template:
- id: master_dnssec
dnssec-policy: default_ecdsa
dnssec-signing: on
serial-policy: unixtime
file: /var/lib/knot/zones/%s.zone
The zone file in /var/lib/knot/zones does not contain any DNSSEC related
information, this is all added by knot. If I do a:
keymgr example.net list
I do not have a key for the outdated signature anymore. I'm happy to
provide the domain name and full configuration off-list if that helps.
Regards
André
9:21
Hello André,
If the automatic signing is enabled, Knot should remove all unknown or expired RRSIGs
automatically
during re-signing. So it is very suspicious.
What the server prints to the log upon `knotc zone-sign ...`? Could you please send me the
whole server log?
Thanks,
Daniel
On 10/03/2017 08:52 AM, André Keller wrote:
Hi Ondřej,
On 03.10.2017 04:54, Ondřej Surý wrote:
André, how do you sign the zone? Is Knot DNS
master or slave in your
configuration? Generally, the DNS server is agnostic to the contents
of the zone - whatever is there gets served.
Knot (2.5.4) is master and does the dnssec-signing. From the configuration:
policy:
- id: default_ecdsa
algorithm: ecdsap256sha256
template:
- id: master_dnssec
dnssec-policy: default_ecdsa
dnssec-signing: on
serial-policy: unixtime
file: /var/lib/knot/zones/%s.zone
The zone file in /var/lib/knot/zones does not contain any DNSSEC related
information, this is all added by knot. If I do a:
keymgr example.net list
I do not have a key for the outdated signature anymore. I'm happy to
provide the domain name and full configuration off-list if that helps.
Regards
André
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
10:24
Hi Daniel
On 03.10.2017 09:21, Daniel Salzman wrote:
If the automatic signing is enabled, Knot should
remove all unknown or expired RRSIGs automatically
during re-signing. So it is very suspicious.
What the server prints to the log upon `knotc zone-sign ...`? Could you please send me
the whole server log?
2017-10-03T10:01:44 info: [example.com.] zone will be loaded
2017-10-03T10:01:44 notice: [example.com.] journal, obsolete exists,
file '/var/lib/knot/example.com.db'
2017-10-03T10:01:44 info: [example.com.] changes from journal applied
1506932669 -> 1507016770
2017-10-03T10:01:44 info: [example.com.] DNSSEC, loaded key, tag 47100,
algorithm 13, KSK no, ZSK yes, public yes, ready yes, active yes
2017-10-03T10:01:44 info: [example.com.] DNSSEC, loaded key, tag 25437,
algorithm 13, KSK yes, ZSK no, public yes, ready yes, active yes
2017-10-03T10:01:44 info: [example.com.] DNSSEC, signing started
2017-10-03T10:01:44 info: [example.com.] DNSSEC, zone is up-to-date
2017-10-03T10:01:44 info: [example.com.] loaded, serial 1507016770
2017-10-03T10:01:44 info: [example.com.] DNSSEC, next signing at
2017-10-10T09:44:00
2017-10-03T10:01:53 info: [example.com.] notify, outgoing,
203.0.113.1@53: serial 1507016770
2017-10-03T10:01:53 info: [example.com.] notify, outgoing, 192.0.2.1@53:
serial 1507016770
2017-10-03T10:02:12 info: [example.com.] control, received command
'zone-sign'
2017-10-03T10:02:12 info: [example.com.] DNSSEC, dropping previous
signatures, resigning zone
2017-10-03T10:02:12 info: [example.com.] DNSSEC, loaded key, tag 47100,
algorithm 13, KSK no, ZSK yes, public yes, ready yes, active yes
2017-10-03T10:02:12 info: [example.com.] DNSSEC, loaded key, tag 25437,
algorithm 13, KSK yes, ZSK no, public yes, ready yes, active yes
2017-10-03T10:02:12 info: [example.com.] DNSSEC, signing started
2017-10-03T10:02:12 info: [example.com.] DNSSEC, successfully signed
2017-10-03T10:02:12 info: [example.com.] DNSSEC, next signing at
2017-10-10T10:02:12
2017-10-03T10:02:12 info: [example.com.] notify, outgoing,
203.0.113.1@53: serial 1507017732
2017-10-03T10:02:12 info: [example.com.] IXFR, outgoing,
203.0.113.1@46104: started, serial 1507016770 -> 1507017732
2017-10-03T10:02:12 info: [example.com.] IXFR, outgoing,
203.0.113.1@46104: finished, 0.00 seconds, 1 messages, 15856 bytes
2017-10-03T10:02:12 info: [example.com.] notify, outgoing, 192.0.2.1@53:
serial 1507017732
2017-10-03T10:02:12 info: [example.com.] IXFR, outgoing,
192.0.2.1@55378: started, serial 1507016770 -> 1507017732
2017-10-03T10:02:12 info: [example.com.] IXFR, outgoing,
192.0.2.1@55378: finished, 0.00 seconds, 1 messages, 15856 bytes
I did not check correctly before as it seems. The master indeed does
only serve the correct RRSIGs. It turns out it was the slaves (knot
as-well) that somehow still served the old RRSIGs but otherwise an
up-to-date zone. I did purge the zones from the slaves now (knotc -f
zone-purge && knotc reload) and now the slaves serve the correct RRSIGs
as-well.
Lets see if this reoccurs, otherwise sorry for the noise.
Regards
André
2846
days inactive
2847
days old
4 comments
3 participants
participants (3)
-
André Keller -
Daniel Salzman -
Ondřej Surý