Hi Mike, I spotted something that *might* be root of your issue (and perhaps a small bug on our end).
On 10/14/19 9:54 AM, Mike Cardwell wrote: > root@ned:~# pdnsutil add-zone-key parsemail.org zsk 1024 active rsasha1 > Added a ZSK with algorithm = 5, active=1 > Requested specific key size of 1024 bits > 3 > root@ned:~# pdnsutil list-keys > Zone Type Size Algorithm ID Locatio > n Keytag > --------------------------------------------------------------------- > ------------- > parsemail.org ZSK 1024 RSASHA1-NSEC3-SHA1 > 2 cryptokeys 8897 > parsemail.org ZSK 1024 RSASHA1-NSEC3-SHA1 > 3 cryptokeys 21947 > parsemail.org KSK 2048 RSASHA1-NSEC3-SHA1 > 1 cryptokeys 36696 A key with algo 5 (rsasha1) is created, but it looks like your zone uses NSEC3, meaning PowerDNS will 'fake' algorithm 7 (Algorithm 5 can't be used with NSEC3). Could you verify with an SQL query (`select * from cryptokeys`) that the existing keys are algo 7 in the database and the new one is 5? > root@ned:~# pdnsutil list-keys > Zone Type Size Algorithm ID Locatio > n Keytag > --------------------------------------------------------------------- > ------------- > parsemail.org CSK 2048 RSASHA1-NSEC3-SHA1 > 1 cryptokeys 36696 > parsemail.org CSK 1024 RSASHA1-NSEC3-SHA1 > 3 cryptokeys 21947 > > So the ZSK was removed, but now the output lists the new ZSK as a CSK, > and I'm still getting 2 RRSIGs. What have I done wrong or missed? I *think* this might be the mix of algo 5 and 7 in the database. Can you try to create the new key like this: pdnsutil add-zone-key parsemail.org zsk 1024 active rsasha1-nsec3-sha1 and test if you indeed see a good KSK/ZSK split? If so, there might be some logic missing in handling the 'automatic' upgrade from algo 5 to 7 in NSEC3 zones. Best regards, Pieter -- Pieter Lexis PowerDNS.COM BV -- https://www.powerdns.com
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
