I'm having some troubles migrating a signed DNS zone to a new server. I've copied over the zone files (unsigned, signed, and journal), signing keys, and DS sets. Once in place, BIND is happy to serve the zone but it cannot be signed. This is the result when I try running rndc sign example.com
:
29-Sep-2022 17:16:42.605 general: info: received control channel command 'sign example.com'
29-Sep-2022 17:16:42.605 general: debug 1: zone_settimer: zone example.com/IN: enter
29-Sep-2022 17:16:42.605 general: debug 1: zone_timer: zone example.com/IN: enter
29-Sep-2022 17:16:42.605 general: debug 1: zone_maintenance: zone example.com/IN: enter
29-Sep-2022 17:16:42.605 dnssec: info: zone example.com/IN: reconfiguring zone keys
29-Sep-2022 17:16:42.606 dnssec: warning: EVP_SignFinal failed (failure)
29-Sep-2022 17:16:42.606 dnssec: info: error:03000098:digital envelope routines::invalid digest:crypto/evp/pmeth_lib.c:961:
29-Sep-2022 17:16:42.606 dnssec: error: zone example.com/IN: sign_apex:add_sigs -> failure
29-Sep-2022 17:16:42.606 dnssec: debug 3: zone example.com/IN: zone_rekey failure: failure (retry in 600 seconds)
29-Sep-2022 17:16:42.606 general: debug 1: zone_settimer: zone example.com/IN: enter
Relevant parts of the config are:
options {
dnssec-enable yes;
dnssec-validation auto;
};
zone "example.com" IN {
type master;
file "dynamic/db.example.com.signed";
auto-dnssec allow;
update-policy {
grant "local-nsupdate" wildcard *;
grant "acme-clients" subdomain example.com. TXT;
};
also-notify { office-routers; };
};
The new config is almost the same, just removing dnssec-enable yes;
as the log tells me it's outdated now.
The old server is running BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.7 (Extended Support Version) <id:7107deb>
on Scientific Linux 7.6 and the new one is BIND 9.16.23-RH (Extended Support Version) <id:fde3b1f>
on AlmaLinux 9.0.
Editing to add that EVP_SignFinal
looks to be an OpenSSL function, so it's possible the problem isn't in BIND at all. Old version's named -V
says:
compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-44)
compiled with OpenSSL version: OpenSSL 1.0.2k 26 Jan 2017
linked to OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
and new version says:
compiled by GCC 11.2.1 20211203 (Red Hat 11.2.1-7)
compiled with OpenSSL version: OpenSSL 3.0.1 14 Dec 2021
linked to OpenSSL version: OpenSSL 3.0.1 14 Dec 2021
I ended up resolving this by downgrading the crypto policy on the system. Seems like the NSEC3RSASHA1 zone signing key I generated in 2015 is no longer strong enough to work with the default settings. I resolved this by running:
This is, of course, not a satisfactory solution from a security PoV, so I guess I will need to regenerate all my keys, update the registrar, and resign the zones. ?