Migration to dnssec-policy removes current ZSK's DNSKEY

[Andreas Vögele]

Hello,

A year ago, I migrated a subdomain from auto-dnssec to dnssec-policy 
according to https://kb.isc.org/docs/dnssec-key-and-signing-policy.

Everything went well. named set the ZSK's lifetime to 0. I later 
initiated a manual rollover. I also had to set the KSK's DSState 
manually from rumoured to published.

The domain uses this policy:

  dnssec-policy "myway" {
   keys {
    ksk key-directory lifetime unlimited
        algorithm rsasha256 2048;
    zsk key-directory lifetime P60D
        algorithm rsasha256 1024;
   };
  };

When I migrated another domain today, the active ZSK was immediately 
superseded by a new ZSK (same algorithm) and the old ZSK's DNSKEY wasn't 
published. For the time being, I've added an unlimited policy in order 
to keep the current ZSK:

  dnssec-policy "myunlimited" {
   keys {
    ksk key-directory lifetime unlimited
        algorithm rsasha256 2048;
    zsk key-directory lifetime unlimited
        rsasha256 1024;
   };
  };

How can I enable ZSK rollover without immediately loosing the current 
ZSK's DNSKEY?

The current ZSK is old and has these keys in the private file:

  Private-key-format: v1.3
  Created: 20151010091913
  Publish: 20151010091913
  Activate: 20151010091913

With the "myway" policy, named added the keys below when I switched from 
auto-dnssec to dnssec-policy.

  Inactive: 20151209091913
  Delete: 20151219102413

Why does named add new keys with past dates?

Another problem: Even after running "rndc dnssec -checkds published 
example.com" the KSK stays in DSState rumoured. I've got the following 
messages in the log:

  keymgr: checkds DS for key example.com/RSASHA256/12345
  seen published at Mon Jan 30 10:58:16 2023
  zone example.com/IN (signed): reconfiguring zone keys

I have Bind 9.18.10 on Fedora 37. A year ago I had Bind 9.16.23 on 
Fedora 35.

Kind regards,
Andreas