2

I was adding DNSSEC to a few of my domains recently, and I noticed that on every single one, the DNSSEC Key Tag was always 2371. What is the point in asking for it if it never changes? (or does it change? When?), and why is it specifically 2371?

retnikt
  • 131
  • 1
  • 5

1 Answers1

2

Your question is not clear. Who is asking for it?

What you call a "key tag" is what is in RRSIG records to identify which key was used to sign the records and hence produce this RRSIG records, see RFC 4034 ยง3. Typically, at a given point in time in a zone there is only one Zone Signing Key (ZSK) so all RRSIG records will indeed have the same key tag.

The key tag is the same... if you are using the same key. The key tag or key id references the key. It is not a good reference because there are collisions (the space is small by definition 2 bytes, so 65536 values in theory, in practice less than half in fact because of bugs in the algorithm and implementations), it is just to make sysadmins life easier.

Your value, 2371 is just one random value among others, it has no specific meaning, but then you give absolutely no context in your question... which domains are you talking about? are you the authoritative nameservers operator or just looking at others' domains? did you put a DPS in place to understand about keys, keys rotations, signatures, etc.?

You can configure multiple domains with the same key, but this is not recommended as all your domains will then share fate, will need to have corresponding DS records changed at the same time (if the key is a KSK), etc.

Even for a single domain, your ZSK should change regularly (typically each month or two months are frequent values), and then new RRSIG records will appear referencing the new key hence with a new key tag.

The only key tags (ids) that seldom change are the one on the root zone. They do not never change, they seldom change. They changed one year ago. But they will probably not change again soon. They are 22545 and 20326 currently:

$ dig +multi . DNSKEY

; <<>> DiG 9.11.5-P1-1ubuntu2.5-Ubuntu <<>> +multi . DNSKEY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41551
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1480
;; QUESTION SECTION:
;.          IN DNSKEY

;; ANSWER SECTION:
.           22845 IN DNSKEY 256 3 8 (
                AwEAAbPwrxwtOMENWvblQbUFwBllR7ZtXsu9rg/Ldykl
                Ks9gU2GQTeOc59XjhuAPZ4WrT09z6YPL+vzIIJqnG3Hi
                ru7hFUQ4pH0qsLNxrsuZrZYmXAKoVa9SXL1Ap0LygwrI
                ugEk1G4v7Rk/Alt1jLUIE+ZymGtSEhIuGQdXrEmj3ffz
                XY13H42X4Ja3vJTn/WIQOXY7vwHXGDypSh9j0Tt0hknF
                1yVJCrIpfkhFWihMKNdMzMprD4bV+PDLRA5YSn3OPIeU
                nRn9qBUCN11LXQKb+W3Jg+m/5xQRQJzJ/qXgDh1+aN+M
                c9AstP29Y/ZLFmF6cKtL2zoUMN5I5QymeSkJJzc=
                ) ; ZSK; alg = RSASHA256 ; key id = 22545
.           22845 IN DNSKEY 257 3 8 (
                AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTO
                iW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN
                7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5
                LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8
                efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7
                pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLY
                A4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws
                9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
                ) ; KSK; alg = RSASHA256 ; key id = 20326

If you ask for RRSIG records in this zone you will find one of these ids referenced:

$ dig com. NS +dnssec +multi @a.root-servers.net

[...]

com.            86400 IN RRSIG DS 8 1 86400 (
                20191113170000 20191031160000 22545 .
                UEC85qqrUaAML/8TSKs6971lvQAI0jCFAEamLCV2e5N/
                wnnY2xsUF3TEWBfBB7VByxpRzzB87NuWNGh9jf6wlx7p
                QQ/FidKxV+lk3LGDb6aqfM9ACRKlSm6xQb9k4Y21A2aO
                lDsHXdfJaKsUvw7AHS6WqBDBsh6AKuDCL5zm/E03UP2A
                8cDhVr1yNnvcY48il3JLAYsSMRviID/Q6lND446za6H3
                w2LiqaMoXg4s/pVj0uV8Sc9G4csWesgXXthQSy3nBe77
                DYca7vt89uN2eYFlTwTnCVYTkkNC67L0B95NRqRhMISA
                MgdoFCcfwAgPpWeWLEcd72EuJ/IWBWBSgA== )

The 22545 is the key tag or this RRSIG record, that is the key used to create it.

Patrick Mevzek
  • 9,921
  • 7
  • 32
  • 43
  • Every time I generate DNSSEC records from Cloudflare it gives me a result like: `example.com. 3600 IN DS 2371 13 2 abcdef123...`. Every knowledgebase article of every registrar always uses 2371 as the example domain key, for example Namecheap: https://www.namecheap.com/support/knowledgebase/article.aspx/9722/2232/managing-dnssec-for-domains-pointed-to-custom-dns and โ€“ retnikt Nov 01 '19 at 08:25
  • 1
    Ok so I think it might just be cloudflare who always gives 2371 โ€“ retnikt Nov 01 '19 at 08:30
  • @retnikt "Every knowledgebase article of every registrar " I'm pretty sure not every one. It seems just copy and paste from one to another. And I do not know about " I generate DNSSEC records from Cloudflare it gives me a result like" but if DS records are using the same id for different domains it just means a given key is shared among different domains, which is technically possible. Then you are not giving concrete live examples of concerned domains so it is difficult to help you further. โ€“ Patrick Mevzek Nov 01 '19 at 14:01