New subject: Question on ZSK rollover

7 Pro 2018

Hi all,

one of my zones made a ZSK rollover yesterday. I had an some recursive 
resolvers validation errors at different times. This is the log output 
from knot of the rollover:

Dec  6 17:16:48 a knotd[9924]: info: [voja.de.] DNSSEC, signing zone
Dec  6 17:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, ZSK rollover 
started
Dec  6 17:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, key, tag 53800, 
algorithm RSASHA256, KSK, public, ready, active
Dec  6 17:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, key, tag 15820, 
algorithm RSASHA256, public
Dec  6 17:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, key, tag 38188, 
algorithm RSASHA256, public, active
Dec  6 17:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, signing started
Dec  6 17:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, successfully 
signed
Dec  6 17:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, next signing at 
2018-12-06T18:16:49
Dec  6 17:16:49 a knotd[9924]: info: [voja.de.] zone file updated, 
serial 1543943808 -> 1544113009
Dec  6 17:16:50 a knotd[9924]: info: [voja.de.] notify, outgoing, 
10.10.10.10@53: serial 1544113009
Dec  6 17:16:50 a knotd[9924]: info: [voja.de.] IXFR, outgoing, 
10.10.10.10@45727: started, serial 1543943808 -> 1544113009
Dec  6 17:16:50 a knotd[9924]: info: [voja.de.] IXFR, outgoing, 
10.10.10.10@45727: finished, 0.00 seconds, 1 messages, 1329 bytes
Dec  6 18:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, signing zone
Dec  6 18:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, key, tag 53800, 
algorithm RSASHA256, KSK, public, ready, active
Dec  6 18:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, key, tag 38188, 
algorithm RSASHA256, public
Dec  6 18:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, key, tag 15820, 
algorithm RSASHA256, public, active
Dec  6 18:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, signing started
Dec  6 18:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, successfully 
signed
Dec  6 18:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, next signing at 
2018-12-06T19:16:49
Dec  6 18:16:49 a knotd[9924]: info: [voja.de.] zone file updated, 
serial 1544113009 -> 1544116609
Dec  6 18:16:49 a knotd[9924]: info: [voja.de.] notify, outgoing, 
10.10.10.10@53: serial 1544116609
Dec  6 18:16:49 a knotd[9924]: info: [voja.de.] IXFR, outgoing, 
10.10.10.10@53131: started, serial 1544113009 -> 1544116609
Dec  6 18:16:49 a knotd[9924]: info: [voja.de.] IXFR, outgoing, 
10.10.10.10@53131: finished, 0.00 seconds, 1 messages, 43889 bytes
Dec  6 18:16:50 a knotd[9924]: info: [voja.de.] AXFR, outgoing, 
10.10.10.10@59417: started, serial 1544116609
Dec  6 18:16:50 a knotd[9924]: info: [voja.de.] AXFR, outgoing, 
10.10.10.10@59417: finished, 0.00 seconds, 1 messages, 28054 bytes
Dec  6 19:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, signing zone
Dec  6 19:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, key, tag 53800, 
algorithm RSASHA256, KSK, public, ready, active
Dec  6 19:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, key, tag 15820, 
algorithm RSASHA256, public, active
Dec  6 19:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, signing started
Dec  6 19:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, successfully 
signed
Dec  6 19:16:49 a knotd[9924]: info: [voja.de.] DNSSEC, next signing at 
2018-12-07T15:16:48
Dec  6 19:16:49 a knotd[9924]: info: [voja.de.] zone file updated, 
serial 1544116609 -> 1544120209
Dec  6 19:16:49 a knotd[9924]: info: [voja.de.] notify, outgoing, 
10.10.10.10@53: serial 1544120209
Dec  6 19:16:49 a knotd[9924]: info: [voja.de.] IXFR, outgoing, 
10.10.10.10@55161: started, serial 1544116609 -> 1544120209
Dec  6 19:16:49 a knotd[9924]: info: [voja.de.] IXFR, outgoing, 
10.10.10.10@55161: finished, 0.00 seconds, 1 messages, 1329 bytes

10.10.10.10 is the (anonymized) IP of the distribution server, which is 
a Bind server. The actual authorative nameservers get the zone from Bind 
with IFXR or AXFR. AXFR is used for distribution to a anycast nameserver 
pair.

When looking at the ZSK rollover timing, I notice that after two hours 
Knot stopped signing with the old ZSK. Does this make sense? The last 
event before the rollover has been this resining:

Dec  4 18:16:48 a knotd[9924]: info: [voja.de.] DNSSEC, signing zone
Dec  4 18:16:48 a knotd[9924]: info: [voja.de.] DNSSEC, key, tag 53800, 
algorithm RSASHA256, KSK, public, ready, active
Dec  4 18:16:48 a knotd[9924]: info: [voja.de.] DNSSEC, key, tag 38188, 
algorithm RSASHA256, public, active
Dec  4 18:16:48 a knotd[9924]: info: [voja.de.] DNSSEC, signing started
Dec  4 18:16:48 a knotd[9924]: info: [voja.de.] DNSSEC, successfully 
signed
Dec  4 18:16:48 a knotd[9924]: info: [voja.de.] DNSSEC, next signing at 
2018-12-06T17:16:48

Is it possible that this is an issue with a propagation-delay that is 
too low (default value applies).

Regards
    Volker

Question on KSK rollover