dnssec-policy: Old DNSKEYs still in zone despite status showing hidden
Magnus Holmgren
magnus.holmgren at millnet.se
Wed Aug 10 09:13:09 UTC 2022
Hi,
I migrated a couple of zones from BIND 9.16.6 on SuSE to 9.16.27 on Debian and
at the same time switched from auto-dnssec maintain to a dnssec-policy with
RSASHA256 instead of RSASHA1 (actually, I first applied a policy matching the
old keys and with unlimited lifetime to avoid confusing BIND).
Though it seems to take longer than expected to finish a key rollover, even
taking into account propagation delay, TTLs, and retire-safety, the old keys
were eventually removed from the first zone. One zone I'm still waiting for,
and that rollover started Friday. One question: Is it necessary to use rndc
dnssec -checkds or is that only meant as a backup, and named is supposed to
query the parent for DS records automatically?
The last zone, milltime.se, has become stuck. sudo rndc dnssec -status reports
that the old keys are removed from the zone and the new keys are omnipresent,
but the log says "zone milltime.se/IN (signed): Key milltime.se/RSASHA1/22971
missing or inactive and has no replacement: retaining signatures."
Never mind. I was too quick switching to NSEC3, which is incompatible with the
old key. Switching back to NSEC allowed the rollover to complete. Still,
shouldn't BIND have been able to figure this out on its own? It kept using
NSEC because of the incompatible key, and it kept the incompatible key needed
to verify the NSEC records. Catch-22? (Yes, I've read about the questionable
merits of NSEC3.)
--
Magnus Holmgren, utvecklare
MILLNET AB, Datalinjen 1, 583 30 Linköping
Direkt: 013-470 40 09 Växel: 013-470 40 00
Support: 013-470 40 19
More information about the bind-users
mailing list