Discussion:
Still seeing some ALG-7 DNSSE
@lbutlr
2021-04-05 16:27:29 UTC
Permalink
If I do:

cd /etc/named/working/main/
for i in *; do dig $i +dnssec | grep "A 13 2" | awk '{print $1}';done

I see a list of all the domains on the system, so that's good, everything has a ALG-13 signature.

If I do

for i in *; do dig $i +dnssec | grep "A 7 2" | awk '{print $1}';done

I see a list of a handful of domains that still have ALG-7 signatures. This is confirmed by a warning in dnsviz.

I don't see any differences in the configurations, and none of the main records on the registrar list ALG-7 anymore, only ALG-13.

All of the domains are setup with dnssec-policy default.

Thera re still 007 keyholes on the system for ALL domains (unexpected), updated every hour (expected).

8 -rw-r--r-- 1 bind bind 1.0K Apr 5 06:21 Kkreme.com.+007+01083.key
8 -rw-r--r-- 1 bind bind 587B Apr 5 06:21 Kkreme.com.+007+01083.state
8 -rw------- 1 bind bind 3.3K Apr 5 06:21 Kkreme.com.+007+01083.private
8 -rw-r--r-- 1 bind bind 708B Apr 5 06:21 Kkreme.com.+007+30512.key
8 -rw-r--r-- 1 bind bind 520B Apr 5 06:21 Kkreme.com.+007+30512.state
8 -rw------- 1 bind bind 1.8K Apr 5 06:21 Kkreme.com.+007+30512.private
8 -rw-r--r-- 1 bind bind 399B Apr 5 06:21 Kkreme.com.+013+29597.key
8 -rw-r--r-- 1 bind bind 651B Apr 5 06:21 Kkreme.com.+013+29597.state
8 -rw------- 1 bind bind 215B Apr 5 06:21 Kkreme.com.+013+29597.private

This domain does not show any ALG-7 keys in dig:

# dig kreme.com +dnssec +short
65.121.55.45
A 13 2 3600 20210415161448 20210401155316 29597 kreme.com. Sea2LPlKGeH/aP1kwONwtuH0Jkp2TVHNb/v9PEOUiVQVzCwKMkg79+K9 bE8yhNQ2vLV4Fxvzk4jknP8Cbq98lQ==

Is there anything I need to do here or not? Will those alg-7 key files continue to hang around forever? Do I need to do something to get dnsviz and dig +dnssec to stop reporting the old keys or is that like propagation and it will sort itself out? I don't see a pattern in the domains that are still showing alg-7 but it is possible they had the DS/registrar info updated later than the other domains.
--
I loved you when our love was blessed I love you now there's nothing
left But sorrow and a sense of overtime

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Matthijs Mekking
2021-04-06 07:13:58 UTC
Permalink
Most likely you have to delete those files manually.

In 9.16.13, a new "dnssec-policy" option is introduced, "purge-keys". By
default the keys are retained for 90 days after their latest usage. So
in that case keys will be cleaned up automatically.

If you run a lower version, or if you set "purge-keys 0;" (disabled),
you have to purge key files manually.

Best regards,

Matthijs
Post by @lbutlr
cd /etc/named/working/main/
for i in *; do dig $i +dnssec | grep "A 13 2" | awk '{print $1}';done
I see a list of all the domains on the system, so that's good, everything has a ALG-13 signature.
If I do
for i in *; do dig $i +dnssec | grep "A 7 2" | awk '{print $1}';done
I see a list of a handful of domains that still have ALG-7 signatures. This is confirmed by a warning in dnsviz.
I don't see any differences in the configurations, and none of the main records on the registrar list ALG-7 anymore, only ALG-13.
All of the domains are setup with dnssec-policy default.
Thera re still 007 keyholes on the system for ALL domains (unexpected), updated every hour (expected).
8 -rw-r--r-- 1 bind bind 1.0K Apr 5 06:21 Kkreme.com.+007+01083.key
8 -rw-r--r-- 1 bind bind 587B Apr 5 06:21 Kkreme.com.+007+01083.state
8 -rw------- 1 bind bind 3.3K Apr 5 06:21 Kkreme.com.+007+01083.private
8 -rw-r--r-- 1 bind bind 708B Apr 5 06:21 Kkreme.com.+007+30512.key
8 -rw-r--r-- 1 bind bind 520B Apr 5 06:21 Kkreme.com.+007+30512.state
8 -rw------- 1 bind bind 1.8K Apr 5 06:21 Kkreme.com.+007+30512.private
8 -rw-r--r-- 1 bind bind 399B Apr 5 06:21 Kkreme.com.+013+29597.key
8 -rw-r--r-- 1 bind bind 651B Apr 5 06:21 Kkreme.com.+013+29597.state
8 -rw------- 1 bind bind 215B Apr 5 06:21 Kkreme.com.+013+29597.private
# dig kreme.com +dnssec +short
65.121.55.45
A 13 2 3600 20210415161448 20210401155316 29597 kreme.com. Sea2LPlKGeH/aP1kwONwtuH0Jkp2TVHNb/v9PEOUiVQVzCwKMkg79+K9 bE8yhNQ2vLV4Fxvzk4jknP8Cbq98lQ==
Is there anything I need to do here or not? Will those alg-7 key files continue to hang around forever? Do I need to do something to get dnsviz and dig +dnssec to stop reporting the old keys or is that like propagation and it will sort itself out? I don't see a pattern in the domains that are still showing alg-7 but it is possible they had the DS/registrar info updated later than the other domains.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
@lbutlr
2021-04-10 23:22:51 UTC
Permalink
In 9.16.13, a new "dnssec-policy" option is introduced, "purge-keys". By default the keys are retained for 90 days after their latest usage. So in that case keys will be cleaned up automatically.
Excellent. Does that go in the zone record with default, or does it replace default> I don't see the syntax in the release notes.

Or do I add a

dnssec-policy "default" {
purge-keys 30; // (or is that field seconds?)
}

Or will that mess up the predefined for default?
--
'There has to be enough light,' he panted, 'to see the darkness.'

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Matthijs Mekking
2021-04-12 07:12:25 UTC
Permalink
Post by @lbutlr
In 9.16.13, a new "dnssec-policy" option is introduced, "purge-keys". By default the keys are retained for 90 days after their latest usage. So in that case keys will be cleaned up automatically.
Excellent. Does that go in the zone record with default, or does it replace default> I don't see the syntax in the release notes.
If you don't set "purge-keys" it will be retained for 90 days.
Otherwise, set it inside the 'dnssec-policy' you are using. In other
words, If you want something else, use this:

dnssec-policy "myway" {
purge-keys P30D;
...
// other policy options
};
Post by @lbutlr
Or do I add a
dnssec-policy "default" {
purge-keys 30; // (or is that field seconds?)
}
Or will that mess up the predefined for default?
First, you cannot (re)configure "default" policy, it is a builtin policy.

You can configure a new policy and just add a single option
"purge-keys". Zones with that policy will act the same as the default
policy except for how long to retain keys.

The field is a ttl value or a ISO 8601 duration. So a number is treated
as seconds. If you want 30 days, use 30d or P30D.

Cheers,

Matthijs
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
@lbutlr
2021-04-12 09:46:03 UTC
Permalink
Post by Matthijs Mekking
Post by @lbutlr
In 9.16.13, a new "dnssec-policy" option is introduced, "purge-keys". By default the keys are retained for 90 days after their latest usage. So in that case keys will be cleaned up automatically.
Excellent. Does that go in the zone record with default, or does it replace default> I don't see the syntax in the release notes.
dnssec-policy "myway" {
purge-keys P30D;
...
// other policy options
};
I am using dnssec-policy default, not my own dnssec policy
Post by Matthijs Mekking
Post by @lbutlr
Or do I add a
dnssec-policy "default" {
purge-keys 30; // (or is that field seconds?)
}
Or will that mess up the predefined for default?
First, you cannot (re)configure "default" policy, it is a builtin policy.
I found that out, yes.
Post by Matthijs Mekking
You can configure a new policy and just add a single option "purge-keys". Zones with that policy will act the same as the default policy except for how long to retain keys.
So, I have to add a new policy to every zone? That's annoying. I was hoping to force the old keys to go away faster.
Post by Matthijs Mekking
The field is a ttl value or a ISO 8601 duration. So a number is treated as seconds. If you want 30 days, use 30d or P30D.
Thank you, I may just wait and see what happens. Though no alg-7 files have been deleted yet, even for domains that are not reporting any alg-6 o dnsviz (and they are updated every hour) along with the lag-13 key.
--
I CAN BE ROBBED BUT NEVER DENIED, I TOLD MYSELF. WHY WORRY? 'I too
cannot be cheated,' snapped Fate. SO I HAVE HEARD.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Loading...