dnssec-policy makes BIND touch all key files every hour
Laurent Frigault
lolo at troll.free.org
Mon Apr 25 16:49:45 UTC 2022
On Sun, Apr 24, 2022 at 11:58:44AM +0200, Bjørn Mork wrote:
Hello,
> I recently moved a few zones from "auto-dnssec maintain" to
> "dnssec-policy ..." to prepare for simpler/automatic key rotation in the
> future.
>
> For the time being I have configured my policy with separate KSK and ZSK
> and unlimited key life times to replicate the old setup as closely as
> possible. I also had a few old and outdated keys lying around, and
> would like to keep those, so my policy has "purge-keys 0". All other
> policy settings are default.
>
> The setup is mostly working as expected - which is great. But there is
> one issue which has suprised me, and which is slightly annoying since it
> tends to set off a few security warnings: All the key related files are
> now touched by BIND once an hour, whether they are modified or not.
> Which they obviously nevery should be, given my current policy.
I discover the same issue with bind 9.16.27 and FreeBSD 13.0
> This is particularily surprising wrt the deleted keys. But it's equally
> unnecessary with the current keys. And touching those is actually more
> annoying since it's an unexpected file system operation with real
> security implications. Or at least it feels that way...
My test server run only a few zones and only one with dnssec-policy but
I have a production serveur with more than 70 000 zones. This issue
would generate avec very high IO load on such server.
> Is this expected or am I doing something wrong? And if this is
> expected, then why?
Good question.
--
Laurent Frigault | Free.org - BookMyName.com - ONLINE SAS - Registar ID 74
More information about the bind-users
mailing list