[dns-operations] Question on DNSSEC Failures
Petr Špaček
petr.spacek at nic.cz
Fri Jun 15 12:56:06 UTC 2018
On 15.6.2018 14:00, Mukund Sivaraman wrote:
> On Fri, Jun 15, 2018 at 01:21:52PM +0200, Anthony Eden wrote:
>> I have a zone where keys are currently in rotation[1], with the old keys
>> (both KSK and ZSK) at 1024 bits and the new keys (both KSK and ZSK) at 2048
>> bits [2]. DNSSEC validating resolvers such as Google's public resolvers are
>> currently returning SERVFAIL. [3]
>>
>> I am trying to determine why the lookups are failing at resolvers. Is this
>> due to the truncation and requirement to switch to TCP? Do I need to reduce
>> the bit size to something between 1024 and 2048?
>
> See the errors at: http://dnsviz.net/d/avisi.net/dnssec/
In words instead of images, your attempt to do key rollover did not
follow standard procedures and now the parent zone (net.) indicates to
clients that your zone is using different set of keys that it should.
You might try to revent back to the old keys, sign with them and start
the rollover again (if TTL in your zone is short) or update DS in the
parent (if DS TTL in parent is shorter).
If this state is there for a longer time it is already cached all over
the place and you will have to accept temporary outage and try to get
out of the rathole. In that case I would recommend:
0) abandon current attempt to roll keys, it is too broken
a) sign zone properly with just one set of keys, possibly with the new ones
b) update DS record in parent zone to match new keys
c) wait until the change is propagated through caches
(Google API for cache flush might help a little bit but it will not save
everything.)
For future rollovers I would recommend you to use an automated tool, it
eliminates vast majority of problems.
As a Knot developer I would recommend you to look at
Have a look e.g. on
https://www.knot-dns.cz/docs/2.6/singlehtml/index.html#dnssec-automatic-ksk-management
:-)
--
Petr Špaček @ CZ.NIC
More information about the dns-operations
mailing list