dnssec-signzone hangs on algortime ECDSAP256SHA256
by thenob from LinuxQuestions.org on (#6EVXM)
After running more then 10 years DNSSEC with SHA256, it's time to move to algoritm ECDSAP256SHA256.
However dnssec-signzone zone hangs when trying to sign with a ZSK with the new algorithm.
Let's take example.com, in the zone-file there are these 2 lines, 1 for the KSK and 1 for the ZSK
$include Kexample.com.+008+23239.key
$include Kexample.com.+008+56820.key
Signing the zone works perfectly:
# /usr/sbin/dnssec-signzone -N unixtime -k Kexample.com.+008+23239 -o example.com example.com Kexample.com.+008+56820.key
Verifying the zone using the following algorithms: RSASHA256.
Zone fully signed:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
example.com.signed
Next step: create ECDSAP256SHA256 ZSK:
# dnssec-keygen -r /dev/urandom -a ECDSAP256SHA256 amelsdorp.b
Generating key pair.
Kexample.com.+013+05484
works perfectly, adding $include Kexample.com.+013+05484.key to the zonefile and then resign with the old ZSK:
# /usr/sbin/dnssec-signzone -N unixtime -k Kexample.com.+013+36340.key -o example.com example.com Kexample.com.+013+55624.key
Verifying the zone using the following algorithms: RSASHA256.
Zone fully signed:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
Algorithm: ECDSAP256SHA256: KSKs: 0 active, 0 stand-by, 0 revoked
ZSKs: 0 active, 1 stand-by, 0 revoked
Works perfectly.
After the TTL is expired we want to sign the zone with the new ZSK:
# /usr/sbin/dnssec-signzone -N unixtime -k Kexample.com.+008+23239 -o example.com example.com Kexample.com.+013+05484.key
--> this process hangs, so debugging:
# /usr/sbin/dnssec-signzone -v 10 -N unixtime -k Kexample.com.+008+23239 -o example.com example.com Kexample.com.+013+05484.key
dnssec-signzone: using 2 cpus
dnssec-signzone: debug 1: delete_node(): 0x7f7bb251e0f0 example.com (bucket 0)
dnssec-signzone: debug 1: calling free_rbtdb(.)
dnssec-signzone: debug 1: done free_rbtdb(.)
dnssec-signzone: no existing signatures for example.com/NSEC
dnssec-signzone: example.com/NSEC:
dnssec-signzone: signing with dnskey example.com/ECDSAP256SHA256/5484
And there it's stuck!
I've also generated a new KSK with algorithm ECDSAP256SHA256 and tried to sign the zone with ECDSAP256SHA256 KSK and ZSK (so no mixed algorithmes), but this also hangs.
Anyone an idea how to fix this?
However dnssec-signzone zone hangs when trying to sign with a ZSK with the new algorithm.
Let's take example.com, in the zone-file there are these 2 lines, 1 for the KSK and 1 for the ZSK
$include Kexample.com.+008+23239.key
$include Kexample.com.+008+56820.key
Signing the zone works perfectly:
# /usr/sbin/dnssec-signzone -N unixtime -k Kexample.com.+008+23239 -o example.com example.com Kexample.com.+008+56820.key
Verifying the zone using the following algorithms: RSASHA256.
Zone fully signed:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
example.com.signed
Next step: create ECDSAP256SHA256 ZSK:
# dnssec-keygen -r /dev/urandom -a ECDSAP256SHA256 amelsdorp.b
Generating key pair.
Kexample.com.+013+05484
works perfectly, adding $include Kexample.com.+013+05484.key to the zonefile and then resign with the old ZSK:
# /usr/sbin/dnssec-signzone -N unixtime -k Kexample.com.+013+36340.key -o example.com example.com Kexample.com.+013+55624.key
Verifying the zone using the following algorithms: RSASHA256.
Zone fully signed:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
Algorithm: ECDSAP256SHA256: KSKs: 0 active, 0 stand-by, 0 revoked
ZSKs: 0 active, 1 stand-by, 0 revoked
Works perfectly.
After the TTL is expired we want to sign the zone with the new ZSK:
# /usr/sbin/dnssec-signzone -N unixtime -k Kexample.com.+008+23239 -o example.com example.com Kexample.com.+013+05484.key
--> this process hangs, so debugging:
# /usr/sbin/dnssec-signzone -v 10 -N unixtime -k Kexample.com.+008+23239 -o example.com example.com Kexample.com.+013+05484.key
dnssec-signzone: using 2 cpus
dnssec-signzone: debug 1: delete_node(): 0x7f7bb251e0f0 example.com (bucket 0)
dnssec-signzone: debug 1: calling free_rbtdb(.)
dnssec-signzone: debug 1: done free_rbtdb(.)
dnssec-signzone: no existing signatures for example.com/NSEC
dnssec-signzone: example.com/NSEC:
dnssec-signzone: signing with dnskey example.com/ECDSAP256SHA256/5484
And there it's stuck!
I've also generated a new KSK with algorithm ECDSAP256SHA256 and tried to sign the zone with ECDSAP256SHA256 KSK and ZSK (so no mixed algorithmes), but this also hangs.
Anyone an idea how to fix this?