Incorrect DNSKEY created when DNSSEC is enabled for zone

Solution Verified - Updated -

Issue

If IPA is installed as DNS server and DNSSEC support is enabled, the DNS zones (for which zone signing is enabled) contain 2 DNSSEC keys of type KSK instead of 1 DNSSEC key of type KSK + 1 DNSSEC key of type ZSK. The keys are created with the right type in the OpenDNSSec database but the type is not mapped correctly in the LDAP server, resulting in bind seeing the ZSK with a wrong type.

This configuration (with no ZSK key) is valid from DNSSEC point of view (please refer to https://bind9.readthedocs.io/en/latest/dnssec-guide.html?#types-of-keys), but does not correspond to the most common deployment. The main difference between the 2 types of keys is that KSK are rolled over after 2 years (and the rollover requires manual intervention) while ZSK are automatically rolled over after 3 months.

Example 1.1: zone "secure.example.test." containing a KSK and a ZSK:

# dig +rrcomments secure.example.test DNSKEY
...
;; ANSWER SECTION:
secure.example.test.    86400    IN    DNSKEY    257 3 8 AwEA...  ; KSK; alg = RSASHA256 ; key id = 42259
secure.example.test.    86400    IN    DNSKEY    256 3 8 AwEA...  ; ZSK; alg = RSASHA256 ; key id = 29913
...

Example 1.2: zone "secure.example.test." containing 2 KSKs:

# dig +rrcomments  secure.example.test. DNSKEY
...
;; ANSWER SECTION:
secure.example.test.    86400    IN    DNSKEY    257 3 8 AwEA...  ; KSK; alg = RSASHA256 ; key id = 19357
secure.example.test.    86400    IN    DNSKEY    257 3 8 AwEA...  ; KSK; alg = RSASHA256 ; key id = 57589
...

When a KSK and a ZSK are present, the KSK signs only the DNSSEC key-related RRsets in the zone (DNSKEY, CDS and CDNSKEY) and the ZSK signs all the records except the DNSSEC key-related RRset. When there is no ZSK, the KSK signs all the records.

Example 2.1: SOA signed by a ZSK:

# dig +dnssec +rrcomments secure.example.test. SOA
...
;; ANSWER SECTION:
secure.example.test.    86400    IN    SOA    server.ipa.test. hostmaster.secure.example.test. 1612968114 3600 900 1209600 3600
secure.example.test.    86400    IN    RRSIG    SOA 8 3 86400 20210312144154 20210210134154 29913 secure.example.test. I+Sp...
...

The key id displayed in the record (29913) corresponds to the DNS key that can be seen in Example 1.1 and represents a ZSK.

Example 2.2: SOA signed by a KSK:

# dig +dnssec +rrcomments secure.example.test. SOA
...
;; ANSWER SECTION:
secure.example.test.    86400    IN    SOA    server.ipa.test. hostmaster.secure.example.test. 1612964847 3600 900 1209600 3600
secure.example.test.    86400    IN    RRSIG    SOA 8 3 86400 20210312134730 20210210124730 19357 secure.example.test. 4ZF6...
secure.example.test.    86400    IN    RRSIG    SOA 8 3 86400 20210312134730 20210210124730 57589 secure.example.test. WWC3...
...

The key ids displayed in the record corresponds to the DNS keys that can be seen in Example 1.2 and represents a KSK.

Environment

  • Red Hat Enterprise Linux 8.3

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In