[dns-operations] [DNSSEC] Bogus signature on secure.registry.be ?
Laurent Bauer
l.bauer at mailclub.fr
Fri Dec 23 20:54:23 UTC 2011
Thomas Dupas wrote:
> Hi Laurent,
>
> for the sake of full disclosure I'll answer on-list, I'm part of the .be staff.
> It wasn't the signature that was expired, because opposed to what Olaf Gudmundsson said it's the first field which is the expiration date, not the second (that's the inception/creation date).
>
> It was an error with a ZSK key invalidating the trust chain.
> The ZSK which we used before the previous rolloverwas removed mid December from the zone, long after it wasn't used for signing anymore.
> But a symlink to the ZSK was still present on disk, and had a delete time of end December which made it still a "valid/current" ZSK.
>
> Bind chose to re-add that ZSK as a DNSKEY yesterday during an internal rekeying event, but apart from rollover windows it has no access to the KSK for security reasons, thus invalidating the DNSKEY rrset signature since it couldn't create a new signature.
> we manually removed the DNSKEY and symlink to restore the DNSKEY rrset signature
>
> Br,
>
> Thomas Dupas
Hello,
Thanks for the details.
So I did not actually miss an expired signature, I'm a bit relieved
about that :) It surprised me that tools like dnsviz or drill did not
explicitely mention an expiration problem.
Anyway, thank you for the quick fix, it only lasted a few minutes so I
guess this is a pretty good incident management.
And thanks to all for helping me improve my DNSSEC understanding !
Best regards
Laurent Bauer
More information about the dns-operations
mailing list