Discussion:
[Opendnssec-user] Passthru signconf still demanding Signatures, Denial, Keys sections?
Rick van Rein
2016-11-24 11:19:44 UTC
Permalink
Hi,

I'm experimenting with .signconf files for 2.0 using the <Passthrough/>
flag, and while playing around I've also checked signconf.rng to see the
syntax.

Even with the <Passthrough/> flag for a zone, the syntax for .signconf
files demands quite a bit of signing setup:
- Signatures/*
- Denial/NSEC3/Hash/* or Denial/NSEC
- Keys/TTL

The need for SOA/* makes sense, but the others are not as clear to me.
Why are they still required by the .signconf syntax? Are they still
used in any way?

I also found that DNSKEY entries are preserved when they occur in the
.signed file.

Are these unexpected things just accidentally retained, or are they in
the interest of keeping key material around for a while? If so, isn't
that taking care of things that the Enforcer (and so the .signconf file)
should take care of?

Thanks,
-Rick
Yuri Schaeffer
2016-11-28 10:53:55 UTC
Permalink
Post by Rick van Rein
I'm experimenting with .signconf files for 2.0 using the <Passthrough/>
flag, and while playing around I've also checked signconf.rng to see the
syntax.
Even with the <Passthrough/> flag for a zone, the syntax for .signconf
- Signatures/*
- Denial/NSEC3/Hash/* or Denial/NSEC
- Keys/TTL
The need for SOA/* makes sense, but the others are not as clear to me.
Why are they still required by the .signconf syntax? Are they still
used in any way?
Sometime, many a years ago, it was decided that almost the entire KASP
is required and thus there are no sane default values. Implementing
passthrough did not change that. All the values are parsed AND stored in
the database. They are not used though. So as long as the KASP validates
the values do not matter.
Post by Rick van Rein
I also found that DNSKEY entries are preserved when they occur in the
.signed file.
Are these unexpected things just accidentally retained, or are they in
the interest of keeping key material around for a while? If so, isn't
that taking care of things that the Enforcer (and so the .signconf file)
should take care of?
Passthrough SHOULD retain DNSKEYS that are in the input zone. If you
however see DNSKEYs that are generated by the signer then I suspect this
has happened:

1) You did add a zone to ods. (it got signed)
2) you changed the policy to passthrough.

This usecase is not supported (maybe it should?). To solve it quickly
you can remove the backup file for that zone. Next time if you want to
start with a by ODS signed zone and want to change it to passthrough you
can do the following.

[1) add a zone to ods. (it got signed)]
2) Remove all keys* from KASP and run policy update.
3) wait until ODS has properly unsigned the zone
4) then change policy to passthrough.

* Note that ("no keys" != "passthrough"). No keys defined in kasp will
gracefully unsign the zone AND filter any DNSSEC related records from
the input zone.

//Yuri

Loading...