为了控制签名何时过期,我已改用dnssec-policy
为我的区域生成 DNSSEC 记录。这解决了 RRSIG 记录在应过期时过期的问题,但又带来了新的问题。
bind9 现在不断尝试停用我的非过期 KSK 和 ZKS 密钥。如何配置 bind 以在密钥永不过期时不尝试任何密钥轮换?
这是我的日志的相关部分:
named[5078]: keymgr: retire DNSKEY example.com/ED25519/00000 (KSK)
named[5078]: keymgr: DNSKEY example.com/ED25519/50916 (ZSK) created for policy example-com-policy
named[5078]: zone example.com/IN (signed): zone_rekey:dns_dnssec_keymgr failed: error occurred writing key to disk
关于我的设置的更多信息:
KSK 和 ZSK 密钥通过运行以下命令生成:
dnssec-keygen -a ED25519 -f KSK example.com dnssec-keygen -a ED25519 example.com
政策声明
named.conf.local
:dnssec-policy example-com-policy { dnskey-ttl 300; keys { ksk key-directory lifetime unlimited algorithm ED25519; zsk key-directory lifetime unlimited algorithm ED25519; }; max-zone-ttl 300; parent-ds-ttl 300; parent-propagation-delay 2h; publish-safety 7d; retire-safety 7d; signatures-refresh 1439h; signatures-validity 90d; signatures-validity-dnskey 90d; zone-propagation-delay 2h; };
区域声明
named.conf.local
:zone "example.com" { type master; file ".../db.example.com"; allow-transfer { ... }; also-notify { ... }; key-directory "..."; serial-update-method unixtime; dnssec-policy example-com-policy; };
以及以下内容
.../db.example.com
:$TTL 300 @ IN SOA ns1.example.com. admin.example.com. ( 1634019890 ; Serial 10m ; Refresh 20m ; Retry 9w ; Expire 1h ) ; Negative Cache TTL ; example.com. IN NS ns1.example.com. example.com. IN NS ns2.example.com. ; ...
系统信息:
- bind9 9.16.15-debian
- Debian 11(最新稳定版本)
- 默认 apparmor 配置
- named 对 keys 目录具有只读访问权限
2021-10-22 更新
两个键的计时信息(根据dnssec-settime -p all
)是:
Created: Sun Oct 10 07:51:48 2021
Publish: Sun Oct 10 07:51:48 2021
Activate: Sun Oct 10 07:51:48 2021
Revoke: UNSET
Inactive: UNSET
Delete: UNSET
SYNC Publish: UNSET
SYNC Delete: UNSET
DS Publish: UNSET
DS Delete: UNSET