Skip to content

Instantly share code, notes, and snippets.

@jpmens
Created July 25, 2020 16:46
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jpmens/042ab5452bc17ebc09b2968614b4862a to your computer and use it in GitHub Desktop.
Save jpmens/042ab5452bc17ebc09b2968614b4862a to your computer and use it in GitHub Desktop.
knot test revocation III
Knot, try revocation III
[root@ods knot]# pwd
/usr/local/knotrev/etc/knot
[root@ods knot]# # rm -rf ../../var/lib/knot/*
[root@ods knotrev]# keymgr example.com. generate algorithm=8 size=1024 ksk=no
2f7e102251d5589ab674ed0bb9c0505ba07ee078
[root@ods knotrev]# keymgr example.com. generate algorithm=8 size=2048 ksk=yes
1ef2baf93933d25f304069427bed34938ada5543
[root@ods knotrev]# knotc -b reload
Reloaded
** I add another key
[root@ods knotrev]# keymgr example.com. generate algorithm=8 size=2048 ksk=yes
27abf5cf726c1ee9d72a1d1498b8cd14b1d25cc3
[root@ods knotrev]# keymgr example.com list
1ef2baf93933d25f304069427bed34938ada5543 ksk=yes zsk=no tag=09976 algorithm=8 size=2048 public-only=no pre-active=0 publish=1595695114 ready=1595695114 active=1595695114 retire-active=0 retire=0 post-active=0 revoke=0 remove=0
27abf5cf726c1ee9d72a1d1498b8cd14b1d25cc3 ksk=yes zsk=no tag=21790 algorithm=8 size=2048 public-only=no pre-active=0 publish=1595695142 ready=1595695142 active=1595695142 retire-active=0 retire=0 post-active=0 revoke=0 remove=0
2f7e102251d5589ab674ed0bb9c0505ba07ee078 ksk=no zsk=yes tag=45025 algorithm=8 size=1024 public-only=no pre-active=0 publish=1595695102 ready=0 active=1595695102 retire-active=0 retire=0 post-active=0 revoke=0 remove=0
** 21790 is the new, 09976 the old
[root@ods knotrev]# knotc -b reload
Reloaded
** I see the DNSKEY RRset signed by both
;; ANSWER SECTION:
example.com. 3600 IN DNSKEY 257 3 8 (
AwEAAaydhne/z5EwMRvT1MxcHorlCMjbA5Iv8V3r
vrweDL/vG/U+Q6lqxwV4ndKJB99V76eLYwwGMS9k
ZPfbjrrelG7JIipqvUSFdvw/Yl6u49qNxtP2orP+
02ZqJjLp4d877M1eRsMkY4Xj6L2Fu60u9zpgMIzM
nUzrZ09qTeULkat/8IO59tLfqgO5TqijweSozH2T
b13Q5E0uxWbMcPiDeBDezCLx2WNmzL2B1gn+tLhB
8vTzExVHjt3JYXTPhG1ozRydybkeelem6n4mOAVN
s8enD9Fti2Tqny/aJnspi2+Tumk488x1sY5Ea9/V
8b2aFK8OeT0MlWwpVVGacbOoU20=
) ; KSK, RSASHA256 (2048b), id = 21790
example.com. 3600 IN DNSKEY 257 3 8 (
AwEAAcQbt9aCQA7bzkiY34UsOtjlc+MsGTkWia4e
Dajwf+05ESYNPYvueGTnOGtgkkqfzKLCqoQBnagO
wzSj6xcThmVgehbQ38mz+3kwK0aPI5h9msKNiLc2
DlyMT0dGNpA5Hn9TF3TcBq/nnZDQ2SlolkfrJgm4
QM399nxdZG0gY0qoIbHUWxhS7nhCJH/lNT0aU1EP
umdxH+WNVYA+8nUfz/Hus6pps8PhvUtr/Gr8rItP
X53M+ILATaTTCk3VJbGAoADQw2NYUVqKb/iGxc4T
Bfd8AgNNEhkCLNfeV6GjWITXbiDf+ZZRPV7mp2Sv
QrpbQF24fCHfm/ei1Zt52pGdByk=
) ; KSK, RSASHA256 (2048b), id = 9976
example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20200808164008 (
20200725151008 9976 example.com.
OTwPOHRRh0WOwIf3RLQDkcxM+dEEYfG3uHfy5Z6F
FJYO71JkPrMGgi5vR3aZClkADQ8Ncd+MvfMuzTB8
hXOa/SUFDcwf0cX2eO0uZQy1SKfFSnqmMarpr37v
Bd9xCy7WthsVg/6FjkkOZaPHI6hyQgjVQjeiIv5m
raFP9XILCzg8FTVZumh99pbC3BuQ9YtyjqoNz9oF
xB1IsEw2iabeowJqQIorm2BV9n0MpmOWEHaAZzov
uLY4O2FaaSs0vfT7kNrpv/CXvv26JCh7amwuYbjE
qAXkq+2Zscc9gARUIF89DHKKtDv70Hp3tB/ykS54
QB1uTA2sQGlYJN/9AXC+4g==
)
example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20200808164008 (
20200725151008 21790 example.com.
dR9LxHmDVVAfBAuY7TORnHIlhpGBsUcN0j3p2rcu
m6JACKP6VxZY9d216Xv7jgS6bToBVPuaRv9GMNje
k2NpWgG4ZIh1y2iKXdHrX+EN7+On980b8UsEaSZg
JIAL2q40XdftuD6hKDFte4MZEueoYoJJsEJQruCZ
0T3vrZHUcwFm9X+lxNvin4SWNYjNgY+RX7xrc81A
I/ualn6S/lGJTBgGVs5eSRHrprMDlehCZHjqnjVQ
1QI4acmZS97oJgF1RzF6WR7ZnQ+zGJk0F3ETbC4b
IcVHqVV/vJcrQIk6Y2UlFE1VxY9qs0QaXb1k0ezm
oUL+r/SGzSjYAdfKbFQjyw==
)
** I set revocation flag
[root@ods knotrev]# keymgr example.com set 09976 revoke=+1mi
OK
[root@ods knotrev]# knotc -b reload
Reloaded
2020-07-25T16:42:03 info: configuration reloaded
2020-07-25T16:42:03 info: [example.com.] DNSSEC, signing zone
2020-07-25T16:42:03 info: [example.com.] DNSSEC, key, tag 9976, algorithm RSASHA256, KSK, public, active
2020-07-25T16:42:03 info: [example.com.] DNSSEC, key, tag 21790, algorithm RSASHA256, KSK, public, active
2020-07-25T16:42:03 info: [example.com.] DNSSEC, key, tag 45025, algorithm RSASHA256, public, active
2020-07-25T16:42:03 info: [example.com.] DNSSEC, signing started
2020-07-25T16:42:03 info: [example.com.] DNSSEC, zone is up-to-date
2020-07-25T16:42:03 info: [example.com.] DNSSEC, next signing at 2020-07-25T16:42:56
2020-07-25T16:42:56 info: [example.com.] DNSSEC, signing zone
2020-07-25T16:42:56 info: [example.com.] DNSSEC, key, tag 21790, algorithm RSASHA256, KSK, public, active
2020-07-25T16:42:56 info: [example.com.] DNSSEC, key, tag 10104, algorithm RSASHA256, KSK, public, active+
2020-07-25T16:42:56 info: [example.com.] DNSSEC, key, tag 45025, algorithm RSASHA256, public, active
2020-07-25T16:42:56 info: [example.com.] DNSSEC, signing started
2020-07-25T16:42:56 info: [example.com.] DNSSEC, successfully signed
2020-07-25T16:42:56 info: [example.com.] DNSSEC, next signing at 2020-08-01T16:38:45
2020-07-25T16:42:56 info: [example.com.] zone file updated, serial 2010111218 -> 2010111219
** finally: a new key tag: s/09976/10104/
example.com. 3600 IN DNSKEY 257 3 8 (
AwEAAaydhne/z5EwMRvT1MxcHorlCMjbA5Iv8V3r
vrweDL/vG/U+Q6lqxwV4ndKJB99V76eLYwwGMS9k
ZPfbjrrelG7JIipqvUSFdvw/Yl6u49qNxtP2orP+
02ZqJjLp4d877M1eRsMkY4Xj6L2Fu60u9zpgMIzM
nUzrZ09qTeULkat/8IO59tLfqgO5TqijweSozH2T
b13Q5E0uxWbMcPiDeBDezCLx2WNmzL2B1gn+tLhB
8vTzExVHjt3JYXTPhG1ozRydybkeelem6n4mOAVN
s8enD9Fti2Tqny/aJnspi2+Tumk488x1sY5Ea9/V
8b2aFK8OeT0MlWwpVVGacbOoU20=
) ; KSK, RSASHA256 (2048b), id = 21790
example.com. 3600 IN DNSKEY 385 3 8 (
AwEAAcQbt9aCQA7bzkiY34UsOtjlc+MsGTkWia4e
Dajwf+05ESYNPYvueGTnOGtgkkqfzKLCqoQBnagO
wzSj6xcThmVgehbQ38mz+3kwK0aPI5h9msKNiLc2
DlyMT0dGNpA5Hn9TF3TcBq/nnZDQ2SlolkfrJgm4
QM399nxdZG0gY0qoIbHUWxhS7nhCJH/lNT0aU1EP
umdxH+WNVYA+8nUfz/Hus6pps8PhvUtr/Gr8rItP
X53M+ILATaTTCk3VJbGAoADQw2NYUVqKb/iGxc4T
Bfd8AgNNEhkCLNfeV6GjWITXbiDf+ZZRPV7mp2Sv
QrpbQF24fCHfm/ei1Zt52pGdByk=
) ; KSK, RSASHA256 (2048b), id = 10104
example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20200808164256 (
20200725151256 10104 example.com.
kF288e6D/JfuFsiSJUaFweVX9fLPmaTPxVEbl9N0
ni3LMnpxHSc5NEudRAfgEe3Q8cRhxJIkcsoGWfBV
k0l2Z+0olvNlAPEMnE5SqsCOD23LgqV57rt9HOX6
WuFHIyViFDtjQRxdXLTIMQzrG1nFpiEJiQUsUUF2
4cpZTjijs4uwUd4jgrqBYWjdIPOq56suSVSVXzlz
sEjF9B4gKrnj4CcQjzQ8DHluqxSgjX08V68wf/sP
4yrYNH8eFvjEonw8kTT6PFzm7fxFmCHt2eTaYnLK
+fg0s8wK3ajbj25CovWHNPX72UKXqA1iUlDQbh78
WhyDJ82Bi1PQb6g5lq3IEg==
)
example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20200808164256 (
20200725151256 21790 example.com.
MqFIpEKiZZ+9/UAlt2hM3+HjxW4LwiXhjNGBQcVm
K7Ak/qNOpSqhoLnDcKKuI+ub+MU05ToNQ/JrWHLm
xUki6t69PYTlsU5CFOEfE4MqJgqTyIgOuG31AvPv
JtV1qJl4vzLWAgdrY8p2HFZuto5pGDjgoa43/aEf
wpUKltTqh2Kc9SfLvp27GUHyuRswCBN7D8cX+PWf
3I/yv5za92VxBeBbg1ByjcifNQRGYMTaOE44glwL
WivzETk5THtAzWqAa8ebR2aECYB1tVs9gU/sP9hd
gyerXVa/3XeLjtuYRi2MriVdKJK9X93mD/xB/hTP
Q8mVbwKNUlCHsPNQsfYCxg==
)
[root@ods knotrev]# keymgr example.com list
[root@ods knotrev]# keymgr example.com list iso
1ef2baf93933d25f304069427bed34938ada5543 ksk=yes zsk=no tag=09976 algorithm=8 size=2048 public-only=no pre-active=1970-01-01T00:00:00Z publish=2020-07-25T16:38:34Z ready=2020-07-25T16:38:34Z active=2020-07-25T16:38:34Z retire-active=1970-01-01T00:00:00Z retire=1970-01-01T00:00:00Z post-active=1970-01-01T00:00:00Z revoke=2020-07-25T16:42:56Z remove=1970-01-01T00:00:00Z
27abf5cf726c1ee9d72a1d1498b8cd14b1d25cc3 ksk=yes zsk=no tag=21790 algorithm=8 size=2048 public-only=no pre-active=1970-01-01T00:00:00Z publish=2020-07-25T16:39:02Z ready=2020-07-25T16:39:02Z active=2020-07-25T16:39:02Z retire-active=1970-01-01T00:00:00Z retire=1970-01-01T00:00:00Z post-active=1970-01-01T00:00:00Z revoke=1970-01-01T00:00:00Z remove=1970-01-01T00:00:00Z
2f7e102251d5589ab674ed0bb9c0505ba07ee078 ksk=no zsk=yes tag=45025 algorithm=8 size=1024 public-only=no pre-active=1970-01-01T00:00:00Z publish=2020-07-25T16:38:22Z ready=1970-01-01T00:00:00Z active=2020-07-25T16:38:22Z retire-active=1970-01-01T00:00:00Z retire=1970-01-01T00:00:00Z post-active=1970-01-01T00:00:00Z revoke=1970-01-01T00:00:00Z remove=1970-01-01T00:00:00Z
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment