DNSKEY and RRSIG DNSKEY TTL values aren't changed after changing of zone's TTL

[Александр Остапенко]

Hello.

I'm using BIND 9.9.5.

My steps:

1. Sign zone using one 1 ZSK and 2 KSK:  a) adding "auto-dnssec maintain;" and "inline-signing yes;" directive into zone section of named.conf;  b) setting publication and activation timestamps to current time in key files;  c) rndc reload.
2. Change TTL value in the zone file ($TTL 86400   ==>  $TTL 432000).
3. Increase serial number in SOA record by 1.
4. rndc reload.
   

After that - DNSKEY and RRSIG DNSKEY records still have 86400 value in TTL (checked via dig).
What could be the reason for such behavior?

Kind regards,

Aleks Ostapenko

[Mark Andrews]

In message <CAMUgSQDxY_BnEgnAe4eQpoV_cHb7ScZ=qxT_-4CVW...@mail.gmail.com>

, =?UTF-8?B?0JDQu9C10LrRgdCw0L3QtNGAINCe0YHRgtCw0L/QtdC90LrQvg==?= writes:
> Hello.
>
> I'm using BIND 9.9.5.
> My steps:
>

> 1. Sign zone using one 1 ZSK and 2 KSK: a) adding "*auto-dnssec
> maintain;*" and "*inline-signing yes;*" directive into zone section of

> named.conf; b) setting publication and activation timestamps to current

> time in key files; c) *rndc reload*.
> 2. Change TTL value in the zone file ($TTL 86400 ==> $TTL 432000).
> 3. Increase serial number in SOA record by 1.
> 4. *rndc reload*.

>
> After that - DNSKEY and RRSIG DNSKEY records still have 86400 value in TTL

> (checked via *dig*).

> What could be the reason for such behavior?
>
>
> Kind regards,
> Aleks Ostapenko

Use "dnssec-settime -L ttl"

Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

[Александр Остапенко]

Thanks for a workaround. But in this case - after "dnssec-settime -L ttl" I need unsign/sign zone (p.1 of steps above) in order to new TTL value appeared in DNSKEY RRset ("service bind9 reload" or "rndc loadkeys" has no effect). But I would like to find a solution without the need of unsigning/signing cycle.
Besides, the question is: this is a bug? Or this behavior is caused by some rules or restrictions?

С уважением,

Александр Остапенко

2016-08-16 8:59 GMT+07:00 Mark Andrews <ma...@isc.org>:

In message <CAMUgSQDxY_BnEgnAe4eQpoV_cHb7ScZ=qxT_-4CVW3nLokctag@mail.gmail.com>

[Tony Finch]

Александр Остапенко <aleks.osta...@gmail.com> wrote:

> Thanks for a workaround. But in this case - after "dnssec-settime -L ttl" I
> need unsign/sign zone (p.1 of steps above) in order to new TTL value
> appeared in DNSKEY RRset ("service bind9 reload" or "rndc loadkeys" has no
> effect). But I would like to find a solution without the need of
> unsigning/signing cycle.

You might be able to change the TTL using `nsupdate`, but I'm not
confident it'll work - the update has to delete all the DNSKEY records
then re-add them, so it might end up unsigning and resigning the zone.
(If `named` can't change the TTL directly and you do not have
"dnssec-secure-to-insecure yes;" the update will be rejected.)

The other option is to freeze the zone, manually edit the TTL in the
signed master file, then unfreeze.

Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode
German Bight, Humber, Thames, Dover: Southwest 5 or 6, becoming variable 3 or
4 later. Slight or moderate. Rain, fair later. Moderate or good, occasionally
poor.

[Aleks Ostapenko]

Thanks.

But in case with `nsupdate` - yes, this is unsigning/signing case, which I would like to avoid.
As for second variant - unfortunately I don't know how to edit manually TTL in the signed (not raw) master file.

Kind regards,
Aleks Ostapenko

[Tony Finch]

Aleks Ostapenko <aleks.osta...@gmail.com> wrote:

> As for second variant - unfortunately I don't know how to edit manually TTL
> in the signed (not raw) master file.

(1) Use `rndc freeze` which makes `named` rewrite the zone file with all
pending changes from the journal, and makes it stop making further changes
to the zone.

(2) The signed zone file will normally be in standard text format, so you
can just run the editor of your choice on the file. Change the TTLs of all
the DNSKEY records and the RRSIG DNSKEY to what you want.

(3) Run `rndc thaw` to make `named` reload the zone and permit it to make
changes.

Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode

Southeast Fitzroy: Northerly or northwesterly, 4 or 5, increasing 6 at times.
Slight or moderate. Occasional rain. Good, occasionally poor.

[Andreas Meyer]

Tony Finch <d...@dotat.at> schrieb am 23.08.16 um 10:45:15 Uhr:

> Aleks Ostapenko <aleks.osta...@gmail.com> wrote:
>
> > As for second variant - unfortunately I don't know how to edit manually TTL
> > in the signed (not raw) master file.
>
> (1) Use `rndc freeze` which makes `named` rewrite the zone file with all
> pending changes from the journal, and makes it stop making further changes
> to the zone.
>
> (2) The signed zone file will normally be in standard text format, so you
> can just run the editor of your choice on the file. Change the TTLs of all
> the DNSKEY records and the RRSIG DNSKEY to what you want.
>
> (3) Run `rndc thaw` to make `named` reload the zone and permit it to make
> changes.

This is the most important information for resigning a zone so that a
change is noticed in a signed zone and it is missing in
https://deepthought.isc.org/article/AA-00711/0/In-line-Signing-With-NSEC3-in-BIND-9.9-A-Walk-through.html

It took me hours to find out:

rndc freeze domain.de
edit domain.de
rndc reload domain.de
rndc thaw domain.de

Greetings

Andreas

[Aleks Ostapenko]

To make zone dinamically updated - I added into `zone` section of named.conf 'allow-update { any; };' directive and made `rndc reload` after that.

Then I made `rndc freeze <zone_file_name>`. But after this command - the signed zone file (`<zone_file_name>.signed`) still remain
in raw format (not text readable) - so I can read it via `named-compilezone` utility, but unfortunately I can't change it.

Kind regards,

Aleks Ostapenko

[Tony Finch]

Aleks Ostapenko <aleks.osta...@gmail.com> wrote:
>
> Then I made `rndc freeze <zone_file_name>`. But after this command - the
> signed zone file (`<zone_file_name>.signed`) still remain
> in raw format (not text readable) - so I can read it via
> `named-compilezone` utility, but unfortunately I can't change it.

Ah, I should have checked that more thoroughly, sorry - I wasn't sure if
the signed zone followed the unsigned master file format or did something
else...

You can use `named-compilezone` to convert from raw to text, edit the
text, then convert back to raw. e.g.

$ named-comilezone -f raw -F text -o myzone.text myzone myzone.signed
$ vi myzone.text
$ named-comilezone -f text -F raw -o myzone.signed myzone myzone.text

Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode

Northwest Fitzroy, Sole: Variable becoming southwesterly 3 or 4, occasionally
5 later. Moderate. Showers. Good.

[Thomas Schulz]

> In message <CAMUgSQDxY_BnEgnAe4eQpoV_cHb7ScZ=qxT_-4CVW...@mail.gmail.com>

> , =?UTF-8?B?0JDQu9C10LrRgdCw0L3QtNGAINCe0YHRgtCw0L/QtdC90LrQvg==?= writes:
> > Hello.
> >
> > I'm using BIND 9.9.5.
> > My steps:
> >
> > 1. Sign zone using one 1 ZSK and 2 KSK: a) adding "*auto-dnssec

> > maintain;*" and "*inline-signing yes;*" directive into zone section of
> > named.conf; b) setting publication and activation timestamps to current

> > time in key files; c) *rndc reload*.
> > 2. Change TTL value in the zone file ($TTL 86400 ==> $TTL 432000).
> > 3. Increase serial number in SOA record by 1.
> > 4. *rndc reload*.
> >
> > After that - DNSKEY and RRSIG DNSKEY records still have 86400 value in TTL
> > (checked via *dig*).
> > What could be the reason for such behavior?

When you use inline-signing yes, Bind increments the effictive serial number
each time it makes a change in the zone as published. So the serial number
actually being used is likely more that 1 more than the serial number in the
zone file. So perhaps you should use dig to find the published serial number
and then set the number in the zone file to be greater than that.

> > Kind regards,
> > Aleks Ostapenko
>
> Use "dnssec-settime -L ttl"
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com

[Aleks Ostapenko]

2016-08-25 17:16 GMT+07:00 Tony Finch <d...@dotat.at>:

Unfortunately, after

1. rndc freeze myzone
2. named-comilezone -f raw -F text -o myzone.text myzone myzone.signed
    change TTL on DNSKEY and RRSIG DNSKEY in myzone.text

    named-comilezone -f text -F raw -o myzone.signed myzone myzone.text

3. rndc thaw myzone

TTL in DNSKEY and RRSIG DNSKEY records still have old values in signed zone

(checked via `dig` locally).

`rndc sync myzone` and `rndc reload` didn't help (`rndc reload myzone` failed because myzone - is dynamic zone).

Kind regards,

Aleks Ostapenko

[Tony Finch]

Aleks Ostapenko <aleks.osta...@gmail.com> wrote:
>
> Unfortunately, after
>
> 1. rndc freeze myzone
> 2. named-comilezone -f raw -F text -o myzone.text myzone myzone.signed
> change TTL on DNSKEY and RRSIG DNSKEY in myzone.text
> named-comilezone -f text -F raw -o myzone.signed myzone myzone.text
> 3. rndc thaw myzone
>
> TTL in DNSKEY and RRSIG DNSKEY records still have old values in signed zone
> (checked via `dig` locally).

Hmm :-(

Does it work better if you increment the SOA serial number as well?

Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode

Tyne, Dogger, Fisher, German Bight, Humber: Southwest, veering west, 4 or 5.
Slight or moderate. Showers for a time. Good.

[Aleks Ostapenko]

No - it does not help too.

So, It seems like there is no acceptable workaround in this issue for me.

In any case - thanks for help.

About this problem I have reported a bug via https://www.isc.org/community/report-bug

Kind regards,

Aleks Ostapenko