search

northox / dnssec-reverb

Automate DNSSEC key rotation for both ZSK KSK
Other
26 stars 10 forks source link

`status` does not show KSK digest #21

Closed tlaguz closed 2 years ago

tlaguz commented 3 years ago

Added domain by: dnssec-reverb keygen example.com

Status output is missing digest:

ns1# dnssec-reverb status example.com                                                                                    
example.com -- https://dnsviz.net/d/example.com/dnssec/
 type state  id    algo hash (expiration)        (digest)
 KSK  active                 set w/ registrar    
 ZSK  active 53113 14    2   2021/09/29 12:01:42

My config in /etc/dnssec-reverb.conf:

MASTERDIR="/var/nsd/zones/master"

KEYGEN_CMD="$(which ldns-keygen)"
SIGNZONE_CMD="$(which ldns-signzone)"
KEY2DS_CMD="$(which ldns-key2ds)"
CHECKZONE_CMD="$(which nsd-checkzone)"
CONTROL_CMD="$(which nsd-control)"
RELOAD_CMD="(echo -n 'reload is '; $CONTROL_CMD reload) && (echo -n 'notify is '; $CONTROL_CMD notify)"

# https://tools.ietf.org/id/draft-ietf-dnsop-algorithm-update-01.html

KSK_PARAM="-a ECDSAP384SHA384 -k"
ZSK_PARAM="-a ECDSAP384SHA384"
SIGN_PARAM="-n" # -n = use NSEC3
DS_HASH="2" # 1=SHA1 2=SHA256 3=GOST 4=SHA384
DS_PARAM="-$DS_HASH"

EXPIRE_DAYS="33"

It appears that this line (173 and 176) is not correct:

    $KEY2DS_CMD "$_DS_PARAM" "$KEYDIR/$(cat "$KSK_CUR_FILE").key" | \
        awk '{printf (" KSK  active %5s %2s   %2s   set w/ registrar    %s\n", $5, $6, $7, $8)}'

ldns-key2ds returns filename according to it's manual:

ldns-key2ds is used to transform a public DNSKEY RR to a DS RR. When run it will read file with a DNSKEY RR in it and it will create a .ds file with the DS RR in it.

It prints out the basename for this file (K<name>+<alg>+<id>).

so I don't understand what should be the input of the awk command.

northox commented 3 years ago

Sorry for the delay. Got a few things on my plate lately. I believe I understand the issue. I'll change a few things and come back with some fix. Can you tell me about your environment? Linux, BSD? Which distro? Thanks.

tlaguz commented 3 years ago

I'm running OpenBSD 6.9. When you will have the fix ready I can test it on my setup before merging

tlaguz commented 2 years ago

I've done some digging and found out that:

  1. I was missing "-n" in DS_PARAM in /etc/dnssec-reverb.conf. It is always required, so I suggest moving it from the configuration to $KEY2DS_CMD execution.
  2. Now there is some inconsistencies in using -n option in lines 173 and 176, and between two example config files. Fixed in patch.
  3. ldns-key2ds doesn't accept options enclosed in "". Please check out the example below:
ns1# ds="-n -2"                                                                                              
ns1# /usr/local/bin/ldns-key2ds "$ds" /var/nsd/zones/master/dnssec-reverb-db/keydir/Kexample.com.+014+55643.key  
Kexample.com.+014+55643
ns1# /usr/local/bin/ldns-key2ds $ds /var/nsd/zones/master/dnssec-reverb-db/keydir/Kexample.com.+014+55643.key    
example.com.    3600    IN  DS  55643 14 2 <valid hash here>

I will create a pull request with proposed changes in a minute. The changes work on my OpenBSD 7.1 based ns.