I'm looking into migrating from Bind9 to PowerDNS. Although I've not changed nameservers on the domain yet, I've imported my zone file, imported my existing KSK and ZSK and that works fine:
root@ned:~# pdnsutil list-keys Zone Type Size Algorithm ID Locatio n Keytag --------------------------------------------------------------------- ------------- parsemail.org ZSK 1024 RSASHA1-NSEC3-SHA1 2 cryptokeys 8897 parsemail.org KSK 2048 RSASHA1-NSEC3-SHA1 1 cryptokeys 36696 root@ned:~# When I do an A record lookup I also get a single RRSIG as expected: root@ned:~# dig +short +dnssec a parsemail.org @51.91.158.226 A 7 2 86400 20191024000000 20191003000000 8897 parsemail.org. Z3RBkP2I+qkjYLeQAL1WuvQlFySpA8G3bBNVNomV49IcHke4p1/dalhH PmYoexPb2rOrjqiOod3ZMJwm/pHj+xt2Flr7MAcpzwNoVW4ktP7aDOkb HToFVetep7dd/dbf0Z/v9NAuSbrk77EtoMLIJBQKkiGXEVJzllBBRi6C 70E= 164.132.228.175 root@ned:~# However, I've tested rolling the ZSK, and I don't know if I've missed a step but something weird happens. First, adding a new ZSK works fine: root@ned:~# pdnsutil add-zone-key parsemail.org zsk 1024 active rsasha1 Added a ZSK with algorithm = 5, active=1 Requested specific key size of 1024 bits 3 root@ned:~# pdnsutil list-keys Zone Type Size Algorithm ID Locatio n Keytag --------------------------------------------------------------------- ------------- parsemail.org ZSK 1024 RSASHA1-NSEC3-SHA1 2 cryptokeys 8897 parsemail.org ZSK 1024 RSASHA1-NSEC3-SHA1 3 cryptokeys 21947 parsemail.org KSK 2048 RSASHA1-NSEC3-SHA1 1 cryptokeys 36696 root@ned:~# dig +short +dnssec a parsemail.org @51.91.158.226 164.132.228.175 A 7 2 86400 20191024000000 20191003000000 21947 parsemail.org. ehGATVrFl+qo9I7pmbb3WGRKCaWRR6ZvLr0vBq33Gcn3SAI9W7SumEyM f/1seXhfGbZKtpP9ZmX0ZIP8hWkv56mZMpnfAYPLN6Pfs0Qmm5UT7/hY UAast/yLmUmu58cHKgSUdzKQt0cufw1nrVIuAlzRNa4PsH0+19Jg/ucS tfM= A 7 2 86400 20191024000000 20191003000000 8897 parsemail.org. Z3RBkP2I+qkjYLeQAL1WuvQlFySpA8G3bBNVNomV49IcHke4p1/dalhH PmYoexPb2rOrjqiOod3ZMJwm/pHj+xt2Flr7MAcpzwNoVW4ktP7aDOkb HToFVetep7dd/dbf0Z/v9NAuSbrk77EtoMLIJBQKkiGXEVJzllBBRi6C 70E= root@ned:~# As you can see above I now have 2 ZSKs and 2 RRSIGs with each lookup. But when I go to remove the old ZSK: root@ned:~# pdnsutil remove-zone-key parsemail.org 2 root@ned:~# pdnsutil list-keys Zone Type Size Algorithm ID Locatio n Keytag --------------------------------------------------------------------- ------------- parsemail.org ZSK 1024 RSASHA1-NSEC3-SHA1 2 cryptokeys 8897 parsemail.org ZSK 1024 RSASHA1-NSEC3-SHA1 3 cryptokeys 21947 parsemail.org KSK 2048 RSASHA1-NSEC3-SHA1 1 cryptokeys 36696 root@ned:~# pdnsutil remove-zone-key parsemail.org 2 root@ned:~# pdnsutil list-keys Zone Type Size Algorithm ID Locatio n Keytag --------------------------------------------------------------------- ------------- parsemail.org CSK 2048 RSASHA1-NSEC3-SHA1 1 cryptokeys 36696 parsemail.org CSK 1024 RSASHA1-NSEC3-SHA1 3 cryptokeys 21947 root@ned:~# dig +short +dnssec a parsemail.org @51.91.158.226 A 7 2 86400 20191024000000 20191003000000 36696 parsemail.org. PbSfL1r+Guzq4cDn26bOKeNYYI+Gv1W8Pq4jDnYlqHHOe1uG8hYeL3iU XfMVVTjR80Fzaj2cavTFqxWjxcvp+nzbdGT3m3lbRFiasQnsW+KWpSOw PbzYMr1PQAC8RQuKZkmRxqhXUV0L7oso762WUBfTPYKP7xha7RDtEsa1 idgqnCN+vasBCHA4mFx7tm73/0pKQsCEXC3ZIJkmD5iIHJR/hxdp7LfW Cl0TC1ntdhwCblepjzJ525ZWBeA8FuB0ZzfHj2oNv0nDvZU2v+c90rMP nijE6hzSkUnJC5vWZOGeJE0ONd2PBDHAc2SyZgOHmI3FnxQWTmT0Tg9s TOn+YA== A 7 2 86400 20191024000000 20191003000000 21947 parsemail.org. ehGATVrFl+qo9I7pmbb3WGRKCaWRR6ZvLr0vBq33Gcn3SAI9W7SumEyM f/1seXhfGbZKtpP9ZmX0ZIP8hWkv56mZMpnfAYPLN6Pfs0Qmm5UT7/hY UAast/yLmUmu58cHKgSUdzKQt0cufw1nrVIuAlzRNa4PsH0+19Jg/ucS tfM= 164.132.228.175 root@ned:~# So the ZSK was removed, but now the output lists the new ZSK as a CSK, and I'm still getting 2 RRSIGs. What have I done wrong or missed? Regards, Mike
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
