16 Úno
2021
16 Úno
'21
18:25
Hi!
Today we tried to do a dynamic update to the dnskey set.
What we want to do is to import the ZSK from another signer.
Didn’t work so well.
Feb 16 17:15:28 ip-172-31-38-41 knotd[24222]: warning: DDNS, refusing to update
DNSSEC-related record
I guess knot doesn’t like dynamic DNSSEC updates.
I even tried with policy manual:on.
What does one have to do to be allowed to add (or delete) DNSKEY records?
/Ulrich
16 Úno
16 Úno
18:49
Hi Ulrich,
thank you for reporting your difficulties.
Well, DDNS provides an ability to modify zone records, but not signing
keys. Even if the update of DNSKEY record wasn't prohibited through
DDNS, it won't help you much, because the DNSKEY RRset is in full
control of signing routines. Knot indeed doesn't "like" DDNS of even
RRSIG and NSEC records, etc.
My recommendations will differ depending on what you are actually trying
to achieve.
If you want to add another ZSK that will be used for signing, you need
to import it into the KASP db, with its public and private part and
appropriate metadata (mostly timers).
If you want to add a ZSK, that will reside in the DNSKEY RRset, but not
used for signing the zone, you need to import it as "public only", with
its public part and metadata.
Both can be done with the keymgr utility and its `import-bind`,
`import-pub`, `import-pem` functions. See
https://www.knot-dns.cz/docs/3.0/singlehtml/index.html#document-man_keymgr
Either way, the DNSKEY RRset in the zone will be updated as part of
following signing process.
I hope this helps you,
Libor
Dne 16. 02. 21 v 18:25 Ulrich Wisser napsal(a):
Hi!
Today we tried to do a dynamic update to the dnskey set.
What we want to do is to import the ZSK from another signer.
Didn’t work so well.
Feb 16 17:15:28 ip-172-31-38-41 knotd[24222]: warning: DDNS, refusing to update
DNSSEC-related record
I guess knot doesn’t like dynamic DNSSEC updates.
I even tried with policy manual:on.
What does one have to do to be allowed to add (or delete) DNSKEY records?
/Ulrich
23:37
Hi Libor,
Thanks for your fast reply! It helps somewhat, but not all the way.
Is there any way I can do this remotely? I would like to add/del additional non-signing
keys from a central control unit.
Next step is to import CDS/CDNSKEY records. It seems dynamic updates don’t like these
either.
Can I dynamically add CSYNC?
/Ulrich
On 16 Feb 2021, at 18:49, libor.peltan
<libor.peltan(a)nic.cz> wrote:
Hi Ulrich,
thank you for reporting your difficulties.
Well, DDNS provides an ability to modify zone records, but not signing keys. Even if the
update of DNSKEY record wasn't prohibited through DDNS, it won't help you much,
because the DNSKEY RRset is in full control of signing routines. Knot indeed doesn't
"like" DDNS of even RRSIG and NSEC records, etc.
My recommendations will differ depending on what you are actually trying to achieve.
If you want to add another ZSK that will be used for signing, you need to import it into
the KASP db, with its public and private part and appropriate metadata (mostly timers).
If you want to add a ZSK, that will reside in the DNSKEY RRset, but not used for signing
the zone, you need to import it as "public only", with its public part and
metadata.
Both can be done with the keymgr utility and its `import-bind`, `import-pub`,
`import-pem` functions. See
https://www.knot-dns.cz/docs/3.0/singlehtml/index.html#document-man_keymgr
Either way, the DNSKEY RRset in the zone will be updated as part of following signing
process.
I hope this helps you,
Libor
Dne 16. 02. 21 v 18:25 Ulrich Wisser napsal(a):
> Hi!
>
> Today we tried to do a dynamic update to the dnskey set.
>
> What we want to do is to import the ZSK from another signer.
>
> Didn’t work so well.
>
> Feb 16 17:15:28 ip-172-31-38-41 knotd[24222]: warning: DDNS, refusing to update
DNSSEC-related record
>
> I guess knot doesn’t like dynamic DNSSEC updates.
> I even tried with policy manual:on.
>
> What does one have to do to be allowed to add (or delete) DNSKEY records?
>
> /Ulrich
>
17 Úno
17 Úno
8:49
Hi Ulrich,
CDS/CDNSKEY records are also managed by signing routines, based on KSK
state and configuration:
https://www.knot-dns.cz/docs/3.0/singlehtml/index.html#cds-cdnskey-publish
(this is true even with manual key management). So you can't DDNS them
as well as other DNSSEC-related records.
I have no idea how you could modify Knot key set remotely, other than
ssh or similar. Configuration could be potentially modified remotely
with
https://www.knot-dns.cz/docs/3.0/singlehtml/index.html#dynamic-configuration
, but the purpose of this feature is very different.
CSYNC record are not part of DNSSEC signing and you can DDNS them freely.
BR,
Libor
Dne 16. 02. 21 v 23:37 Ulrich Wisser napsal(a):
Hi Libor,
Thanks for your fast reply! It helps somewhat, but not all the way.
Is there any way I can do this remotely? I would like to add/del additional non-signing
keys from a central control unit.
Next step is to import CDS/CDNSKEY records. It seems dynamic updates don’t like these
either.
Can I dynamically add CSYNC?
/Ulrich
> On 16 Feb 2021, at 18:49, libor.peltan <libor.peltan(a)nic.cz> wrote:
>
> Hi Ulrich,
>
> thank you for reporting your difficulties.
>
> Well, DDNS provides an ability to modify zone records, but not signing keys. Even if
the update of DNSKEY record wasn't prohibited through DDNS, it won't help you
much, because the DNSKEY RRset is in full control of signing routines. Knot indeed
doesn't "like" DDNS of even RRSIG and NSEC records, etc.
>
> My recommendations will differ depending on what you are actually trying to achieve.
>
> If you want to add another ZSK that will be used for signing, you need to import it
into the KASP db, with its public and private part and appropriate metadata (mostly
timers).
>
> If you want to add a ZSK, that will reside in the DNSKEY RRset, but not used for
signing the zone, you need to import it as "public only", with its public part
and metadata.
>
> Both can be done with the keymgr utility and its `import-bind`, `import-pub`,
`import-pem` functions. See
https://www.knot-dns.cz/docs/3.0/singlehtml/index.html#document-man_keymgr
>
> Either way, the DNSKEY RRset in the zone will be updated as part of following signing
process.
>
> I hope this helps you,
>
> Libor
>
> Dne 16. 02. 21 v 18:25 Ulrich Wisser napsal(a):
>> Hi!
>>
>> Today we tried to do a dynamic update to the dnskey set.
>>
>> What we want to do is to import the ZSK from another signer.
>>
>> Didn’t work so well.
>>
>> Feb 16 17:15:28 ip-172-31-38-41 knotd[24222]: warning: DDNS, refusing to update
DNSSEC-related record
>>
>> I guess knot doesn’t like dynamic DNSSEC updates.
>> I even tried with policy manual:on.
>>
>> What does one have to do to be allowed to add (or delete) DNSKEY records?
>>
>> /Ulrich
>>
1418
days inactive
1419
days old
3 comments
2 participants
participants (2)
-
libor.peltan -
Ulrich Wisser