ZSK rollover removes the old key too early
On Debian Linux with Knot 2.6.9 (upstream old stable package), one of my zones went bogus today.
The zone uses default TTL of 86400. DNSSEC policy timers are mostly on defaults:
- id: ecdsa
algorithm: ecdsap256sha256
zsk-lifetime: 30d
rrsig-lifetime: 30d
rrsig-refresh: 15d
nsec3: on
The rollover went like this:
Nov 21 15:20:59 daisy knotd[613]: info: [8.1.7.0.1.0.0.2.ip6.arpa.] DNSSEC, ZSK rollover started
Nov 21 15:20:59 daisy knotd[613]: info: [8.1.7.0.1.0.0.2.ip6.arpa.] DNSSEC, key, tag 37015, algorithm ECDSAP256SHA256, KSK, public, active
Nov 21 15:20:59 daisy knotd[613]: info: [8.1.7.0.1.0.0.2.ip6.arpa.] DNSSEC, key, tag 37711, algorithm ECDSAP256SHA256, public
Nov 21 15:20:59 daisy knotd[613]: info: [8.1.7.0.1.0.0.2.ip6.arpa.] DNSSEC, key, tag 39969, algorithm ECDSAP256SHA256, public, active
Nov 21 15:20:59 daisy knotd[613]: info: [8.1.7.0.1.0.0.2.ip6.arpa.] DNSSEC, successfully signed
Nov 21 15:21:00 daisy knotd[613]: info: [8.1.7.0.1.0.0.2.ip6.arpa.] DNSSEC, next signing at 2018-11-21T16:20:59
Nov 21 16:20:59 daisy knotd[613]: info: [8.1.7.0.1.0.0.2.ip6.arpa.] DNSSEC, signing zone
Nov 21 16:20:59 daisy knotd[613]: info: [8.1.7.0.1.0.0.2.ip6.arpa.] DNSSEC, key, tag 37015, algorithm ECDSAP256SHA256, KSK, public, active
Nov 21 16:20:59 daisy knotd[613]: info: [8.1.7.0.1.0.0.2.ip6.arpa.] DNSSEC, key, tag 39969, algorithm ECDSAP256SHA256, public
Nov 21 16:20:59 daisy knotd[613]: info: [8.1.7.0.1.0.0.2.ip6.arpa.] DNSSEC, key, tag 37711, algorithm ECDSAP256SHA256, public, active
Nov 21 16:20:59 daisy knotd[613]: info: [8.1.7.0.1.0.0.2.ip6.arpa.] DNSSEC, successfully signed
Nov 21 16:20:59 daisy knotd[613]: info: [8.1.7.0.1.0.0.2.ip6.arpa.] DNSSEC, next signing at 2018-11-21T17:20:59
Nov 21 17:20:59 daisy knotd[613]: info: [8.1.7.0.1.0.0.2.ip6.arpa.] DNSSEC, signing zone
Nov 21 17:20:59 daisy knotd[613]: info: [8.1.7.0.1.0.0.2.ip6.arpa.] DNSSEC, key, tag 37015, algorithm ECDSAP256SHA256, KSK, public, active
Nov 21 17:20:59 daisy knotd[613]: info: [8.1.7.0.1.0.0.2.ip6.arpa.] DNSSEC, key, tag 37711, algorithm ECDSAP256SHA256, public, active
Nov 21 17:20:59 daisy knotd[613]: info: [8.1.7.0.1.0.0.2.ip6.arpa.] DNSSEC, successfully signed
Nov 21 17:20:59 daisy knotd[613]: info: [8.1.7.0.1.0.0.2.ip6.arpa.] DNSSEC, next signing at 2018-12-06T16:20:59
I noticed the zone as bogus around 18:00. Affected resolver had still the old DNSKEY RRSET without the new ZSK id 37711:
# dig 8.1.7.0.1.0.0.2.ip6.arpa dnskey +dnssec +multi @::1
…
;; ANSWER SECTION:
8.1.7.0.1.0.0.2.ip6.arpa. 28986 IN DNSKEY 256 3 13 (
V75YHZ3AzDGlxRHGK5VOhFlAlTmKNnW2r5ST0vqnujxp
Km2y+rLgDllr5CQArxeLvh+5bOud3OvI8Nb9hW35Eg==
) ; ZSK; alg = ECDSAP256SHA256; key id = 39969
8.1.7.0.1.0.0.2.ip6.arpa. 28986 IN DNSKEY 257 3 13 (
l5Q0Yim0B7LJYTveexWS68pKMZT7Ib9lW5IOWZuPMFmN
jFCgAWkAd7jpnkuQHw5joZOnAhF66drwCsBZB6e99A==
) ; KSK; alg = ECDSAP256SHA256; key id = 37015
8.1.7.0.1.0.0.2.ip6.arpa. 28986 IN RRSIG DNSKEY 13 10 86400 (
20181206152059 20181106135059 37015 8.1.7.0.1.0.0.2.ip6.arpa.
AULNjAs+AjDiZd4QOgF2tktZ6+Orglfxw33bHy3GCQP4
NlDJVmAU4yJQPuUbkDuydqE4AKDWddujgwyC6Nr2SA== )
Zone data were, however, signed by the new ZSK exclusively:
# dig 8.1.7.0.1.0.0.2.ip6.arpa soa +dnssec +multi @::1 +cdflag
…
;; ANSWER SECTION:
8.1.7.0.1.0.0.2.ip6.arpa. 54 IN SOA nsa.cesnet.cz. hostmaster.cesnet.cz. (
2018110704 ; serial
28800 ; refresh (8 hours)
7200 ; retry (2 hours)
1814400 ; expire (3 weeks)
900 ; minimum (15 minutes)
)
8.1.7.0.1.0.0.2.ip6.arpa. 54 IN RRSIG SOA 13 10 86400 (
20181221162059 20181121145059 37711 8.1.7.0.1.0.0.2.ip6.arpa.
i/60i6+BUAI8u+NB5X1DMjls9RZCA5XujOHfqWiQYu+D
/ivKTw2QhN3FO6bhL/VGfqmo03LPGhgrmTzzVD7bWw== )
Flushing the resolvers' caches works around the issue as well we using lower TTL for the zone. Our forward zones use TTL of 1h and such problem was not noticed with them.