key dir massive
Matthijs Mekking
matthijs at isc.org
Thu Dec 22 14:32:47 UTC 2022
Hi Edwardo,
On 12/22/22 05:01, Edwardo Garcia wrote:
> Hi,
> I recently upgraded from 9.16 to latest version and changed a zone, ran
> verisign test and it said all good, so changed my zones from auto
> maintain dnssec to dnssec policy default, what a nightmare, most our
> zones vanished few hours later for a day, and it create new keys for
> everything, this bug i saw was fixed many versions ago, should it not
> see my have keys and re-use them (keys were made a year ago on current
> at the time v9.11, we upgrade to 9.16 in July and no issue till these
> option name change rubbish. I was warned by colleagues not to do this as
> they too say migration nightmares, but I am my own person and now I
> regret not listening their advise.
I hope you have read our KB article on dnssec-policy before migrating:
https://kb.isc.org/v1/docs/en/dnssec-key-and-signing-policy
It should list the main pitfalls to save you a lot of hassle (I suspect
you started algorithm rollover immediately when changing to
dnssec-policy default).
If there are any things we should add, I am happy to receive your
suggestions.
> Now I think is under control, once identifying the current key set, is
> it safe to manually delete all the others keys privates and states,
> except the current one, and will any of that DS change again?
Probably, without knowing your current state of things it is hard to
give a more confident answer.
Setting 'purge-keys' inside your 'dnssec-policy' is probably your best
bet for the future. By default, no longer used keys are deleted from
disk after 90 days.
Best regards,
Matthijs
More information about the bind-users
mailing list