我正在对 KSK 和 ZSK 进行轮转(与服务器转移同时进行),但 BIND(版本 9.16.23)开始给我带来问题。我的目录中有以下密钥:
; Kexample.ca.+007+10274.key
; This is a zone-signing key, keyid 10274, for example.ca.
; Created: 20170629213318 (Thu Jun 29 17:33:18 2017)
; Publish: 20170629213318 (Thu Jun 29 17:33:18 2017)
; Activate: 20170629213318 (Thu Jun 29 17:33:18 2017)
; Inactive: 20221016000000 (Sat Oct 15 20:00:00 2022)
; Delete: 20221101000000 (Mon Oct 31 20:00:00 2022)
example.ca. IN DNSKEY 256 3 7 AwEAAdrZTmbJJiG5DpbDxB4hFsC5h5HfvClN2hCqCTM+K/mL6yUuGNMK
...
; Kexample.ca.+007+56883.key
; This is a key-signing key, keyid 56883, for example.ca.
; Created: 20170629213331 (Thu Jun 29 17:33:31 2017)
; Publish: 20170629213331 (Thu Jun 29 17:33:31 2017)
; Activate: 20170629213331 (Thu Jun 29 17:33:31 2017)
; Inactive: 20221013000000 (Wed Oct 12 20:00:00 2022)
; Delete: 20221015000000 (Fri Oct 14 20:00:00 2022)
example.ca. IN DNSKEY 257 3 7 AwEAAco64iLFxmdJo71EVDcgoU7fCf+KtGVVb5qNJ5Cqy2fIfQ14lfpi
...
; Kexample.ca.+015+37539.key
; This is a zone-signing key, keyid 37539, for example.ca.
; Created: 20221003223624 (Mon Oct 3 18:36:24 2022)
; Publish: 20221003223624 (Mon Oct 3 18:36:24 2022)
; Activate: 20221015000000 (Fri Oct 14 20:00:00 2022)
example.ca. IN DNSKEY 256 3 15 d5jO/VChUOdTxJbFIT/JnUC...
; Kexample.ca.+015+44951.key
; This is a key-signing key, keyid 44951, for example.ca.
; Created: 20221014002306 (Thu Oct 13 20:23:06 2022)
; Publish: 20221014002306 (Thu Oct 13 20:23:06 2022)
; Activate: 20221014000000 (Thu Oct 13 20:00:00 2022)
example.ca. IN DNSKEY 257 3 15 yTweQBDrmRQB9TlRCw5UjfLm...
标准区域配置:
zone "example.ca" IN {
type master;
file "dynamic/db.example.ca.signed";
auto-dnssec maintain;
update-policy {
grant "local-nsupdate-key" zonesub ANY;
};
};
因此,从日期可以看出,旧的 RSA 密钥现在应该已经停止使用,取而代之的是 ED25519 密钥。但事实并非如此。BIND 现在正在做的是使用旧的非活动 ZSK、新的 ZSK 和新的 KSK:
A 1.234.56.7
RRSIG A 7 2 7200 (
20221108175559 20221009172553 10274 example.ca.
OWuM4QbyhPMHAdAar3VN2UwtnQdNuAJ6SI638fjA7Qwi
awbXkiWDmoMu0gPi+96f7sECeePFcrGhZwWNBaNOZM5k
adrzaU74LyRB6uKNJ8+oJyk8gLWyLP70iuxxKqmvJyra
sQ7evDHQOeN68VohLw+dnvsyPQt2gjyPwq+3KOyPBnu9
WAQMfPsI5ApDj2bKodZ+YPbeGtphNFmLUo4dDvgDmTaP
uVlFv/y8BcZVmtG5OzPk0eRmQR8z61NWU5/vLDA1BdnR
3YxH0GCYAS6uD69KpAdi8vCoPKrz+SapY4ZVOcIqljGK
j8G6AmXBL1lPYbqUZl3+b0R25rKbdgOKeg== )
RRSIG A 15 2 7200 (
20221109073728 20221014123919 44951 example.ca.
nsK1mxNMwkpYODNwR/VggyHKhFaOd2+ZQtQxn8Np6X/Q
N3s+ziXwvuP+ShizVVwupfzXydkZTtBmK0lLzqOWAg== )
RRSIG A 15 2 7200 (
20221108202820 20221016223139 37539 example.ca.
Fj//9E+jgVtMPiltKit8cKMO3Q1XzAO9uGM9eWS2kcA9
t1JQfzhPP/0z0bw5OpSjjCfP8qnvbuJDHk+aG0MIAQ== )
除了日期问题之外,这种情况不应该发生,而且我管理的其他 DNSSEC 区域也没有发生这种情况。为什么 BIND 会把这个区域搞得这么糟?(或者,为什么我误解了这一点?!)
调试日志输出显示运行时发生的情况rndc sign example.ca 可用,如果它有用的话。但在我看来,它似乎没什么帮助。
答案1
由于无法解释 BIND 为何会出现这种错误行为,我最终运行了rndc freeze example.ca,手动删除了所有 RRSIG 记录,运行rndc sign,然后再次使用 解冻rndc thaw example.ca。然后,BIND 继续使用新 ZSK 正确签名记录。旧 ZSK 仍作为 DNSKEY 记录,我希望它会根据元数据中的时间表被删除。