Bind 9, dnssec, and .key .private files physical deletion after the key id becomes deleted from zone (the key becomes outdated)

egoitz at ramattack.net egoitz at ramattack.net
Mon Jan 24 11:59:56 UTC 2022 

Good morning, 

I have a DNSSEC "bump in wire" server, which uses "inline-signing yes;" 
and "auto-dnssec maintain;" for that reason. 

I do the task of ensuring always are valid keys in the zone with an
script that generates them whenever is needed. All fine until here and
all working. 

I have seen, that Bind logs in messages log file sometimes the following
error logs : 

_dns_dnssec_keylistfromrdataset: error reading
/xxx/xxx/xxx/xx-domain/named.aaa/aaa.xx.+008+41919.private: file not
found_ 

That "file not found" is due to a rename of ".key" and ".private" files
to ".key-OLD" and ".private-OLD". 

I did the rename, because I have seen that the ZSK key 41919 was set to
be deleted (and obviously always renamed after that deletion date) from
the zone, so I renamed the ".key" and ".private" files to ".key-OLD" and
".private-OLD". 

I do this rename, because this way my key checking script
differentiates, any needed (in effect) key with the "supposedly" (I say
supposedly because I would have said that Bind should not be using
nowadays that non finding files for nothing!) non needed keys, in order
to check that each zone, has always the needed keys for keeping properly
signed by Bind (else it would generate them). 

As I previously commented, I check with a script the existence of all
needed keys for each domain. Obviuosly, it's not the same checking a
couple of ZSK or just one ZSK and a KSK (per domain), than them plus all
outdated keys that each month become outdated. 

So, how many time should I wait in order to rename that files?. Should I
handle them with another dnssec-______ command instead of renaming?. All
seems to be working well but I see these errors and was wondering if I
could improve the way of handling outdated keys. 

I have been taking a look at the source code of Bind (the tag of version
I'm using), and I have seen that Bind seems not remove any of that key
files when they become outdated. Or does it with some param?. I have not
been able to find it. I have been taking a look too the ARM, but still
no luck on finding the answers I was trying to. 

Any help very appreciated, 

Best regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220124/93c6634d/attachment.htm>

More information about the bind-users mailing list