Old ZSK refuses to retire
Carsten Strotmann
carsten at strotmann.de
Wed Apr 26 12:09:22 UTC 2023
Hi,
I have a situation where in a BIND 9 zone with dnssec-policy and inline-signing, after a ZSK rollover, the (old) ZSK is refusing to retire. Although the timing metadata shows the retire and deletion dates in the past, the ZSK is still in the zone and is signing the records (along with the new ZSK, so there are two ZSK RRSigs on each RRSet).
Setting new retire/inactive + deletion times with dnssec-settime (with parameter -s to update the state file) does not help either.
Removing the key files will stop the key being active (there are no new RRSigs generated from this key), but the DNSKEY record still stays in the zone.
Any idea how to recover from such a situation (other than removing the signed zone and journals and re-signing the zone again)?
Greetings
Carsten
More information about the bind-users
mailing list