Discussion:
9.16.2 / DNSSEC / DS records
(too old to reply)
Jukka Pakkanen
2020-04-15 23:21:53 UTC
Permalink
Updating from 9.14.11 to 9.16.2, and migrating existing signed zones to dnssec-policy, and have couple questions, probably quite trivial...

We have signed zones with different key algorithms, now I want everything under the same ecdsa256 policy. I guess when the key algorithm changes, example from 8 to 13, we need to update the DS key at the registrar as well?

About the DS keys, where can I find or retrieve them after the zone is automatically resigned by the dnssec-policy, to insert in to Hover.com's zone data?

The Finnish Traficom .fi root service was able to retrieve the new DS records it self, but for Hover need to insert them manually.

Do I need to keep the old DS records at the registrar for some period of time, of can I just swap the information there, without breaking anything?
Jukka Pakkanen
2020-04-15 23:28:00 UTC
Permalink
And yet, after updating Gemtrade.fi to dnssec-policy, ZSK and KSK both "13", and updating the DS record at the .fi root, I still get:

(algorithm 13 not supportedsignature verification failed)

In Verisign DNSSEC verifier.


Lähettäjä: bind-users <bind-users-***@lists.isc.org> Puolesta Jukka Pakkanen
Lähetetty: 16. huhtikuuta 2020 1:22
Vastaanottaja: bind-***@isc.org
Aihe: 9.16.2 / DNSSEC / DS records

Updating from 9.14.11 to 9.16.2, and migrating existing signed zones to dnssec-policy, and have couple questions, probably quite trivial...

We have signed zones with different key algorithms, now I want everything under the same ecdsa256 policy. I guess when the key algorithm changes, example from 8 to 13, we need to update the DS key at the registrar as well?

About the DS keys, where can I find or retrieve them after the zone is automatically resigned by the dnssec-policy, to insert in to Hover.com's zone data?

The Finnish Traficom .fi root service was able to retrieve the new DS records it self, but for Hover need to insert them manually.

Do I need to keep the old DS records at the registrar for some period of time, of can I just swap the information there, without breaking anything?
Mark Andrews
2020-04-16 00:29:34 UTC
Permalink
Updating from 9.14.11 to 9.16.2, and migrating existing signed zones to dnssec-policy, and have couple questions, probably quite trivial…
We have signed zones with different key algorithms, now I want everything under the same ecdsa256 policy. I guess when the key algorithm changes, example from 8 to 13, we need to update the DS key at the registrar as well?
Yes.
About the DS keys, where can I find or retrieve them after the zone is automatically resigned by the dnssec-policy, to insert in to Hover.com’s zone data?
dnssec-policy will publish CDS and CDNSKEY records after the right amount of time and if your registrar is checking they will automatically update the DS RRset in the parent zone. Otherwise you can use dnssec-dsfromkey to generate DS records from the DNSKEY records.
The Finnish Traficom .fi root service was able to retrieve the new DS records it self, but for Hover need to insert them manually.
Do I need to keep the old DS records at the registrar for some period of time, of can I just swap the information there, without breaking anything?
You can swap but note you need to wait until all caches are free of the records they where only signed with algorithm 8. Once the DS records are published you have to wait until all old DS records that listed algorithm 8 have cleared from caches before you stop signing with algorithm 8. There should be no CDS or CDNSKEY records for algorithm 8 when you do this.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ***@isc.org
Mark Andrews
2020-04-16 00:43:46 UTC
Permalink
Well the tester doesn’t support algorithm 13. The red x’s should be cautions as they aren’t failures (no working ds/dnskey pairs for supported algorithms in use), but rather the zone should be treated as insecure by the tester.

Mark
Post by Jukka Pakkanen
(algorithm 13 not supportedsignature verification failed)
In Verisign DNSSEC verifier.
Lähetetty: 16. huhtikuuta 2020 1:22
Aihe: 9.16.2 / DNSSEC / DS records
Updating from 9.14.11 to 9.16.2, and migrating existing signed zones to dnssec-policy, and have couple questions, probably quite trivial…
We have signed zones with different key algorithms, now I want everything under the same ecdsa256 policy. I guess when the key algorithm changes, example from 8 to 13, we need to update the DS key at the registrar as well?
About the DS keys, where can I find or retrieve them after the zone is automatically resigned by the dnssec-policy, to insert in to Hover.com’s zone data?
The Finnish Traficom .fi root service was able to retrieve the new DS records it self, but for Hover need to insert them manually.
Do I need to keep the old DS records at the registrar for some period of time, of can I just swap the information there, without breaking anything?
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ***@isc.org
Jukka Pakkanen
2020-04-16 07:58:52 UTC
Permalink
Thanks!

-----Alkuperäinen viesti-----
Lähettäjä: Mark Andrews <***@isc.org>
Lähetetty: 16. huhtikuuta 2020 2:30
Vastaanottaja: Jukka Pakkanen <***@qnet.fi>
Kopio: bind-***@isc.org
Aihe: Re: 9.16.2 / DNSSEC / DS records
Updating from 9.14.11 to 9.16.2, and migrating existing signed zones to dnssec-policy, and have couple questions, probably quite trivial…
We have signed zones with different key algorithms, now I want everything under the same ecdsa256 policy. I guess when the key algorithm changes, example from 8 to 13, we need to update the DS key at the registrar as well?
Yes.
About the DS keys, where can I find or retrieve them after the zone is automatically resigned by the dnssec-policy, to insert in to Hover.com’s zone data?
dnssec-policy will publish CDS and CDNSKEY records after the right amount of time and if your registrar is checking they will automatically update the DS RRset in the parent zone. Otherwise you can use dnssec-dsfromkey to generate DS records from the DNSKEY records.
The Finnish Traficom .fi root service was able to retrieve the new DS records it self, but for Hover need to insert them manually.
Do I need to keep the old DS records at the registrar for some period of time, of can I just swap the information there, without breaking anything?
You can swap but note you need to wait until all caches are free of the records they where only signed with algorithm 8. Once the DS records are published you have to wait until all old DS records that listed algorithm 8 have cleared from caches before you stop signing with algorithm 8. There should be no CDS or CDNSKEY records for algorithm 8 when you do this.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871

Loading...