Migration to dnssec-policy removes current ZSK's DNSKEY
Andreas Vögele
andreas at andreasvoegele.com
Mon Jan 30 11:34:42 UTC 2023
Hello,
A year ago, I migrated a subdomain from auto-dnssec to dnssec-policy
according to https://kb.isc.org/docs/dnssec-key-and-signing-policy.
Everything went well. named set the ZSK's lifetime to 0. I later
initiated a manual rollover. I also had to set the KSK's DSState
manually from rumoured to published.
The domain uses this policy:
dnssec-policy "myway" {
keys {
ksk key-directory lifetime unlimited
algorithm rsasha256 2048;
zsk key-directory lifetime P60D
algorithm rsasha256 1024;
};
};
When I migrated another domain today, the active ZSK was immediately
superseded by a new ZSK (same algorithm) and the old ZSK's DNSKEY wasn't
published. For the time being, I've added an unlimited policy in order
to keep the current ZSK:
dnssec-policy "myunlimited" {
keys {
ksk key-directory lifetime unlimited
algorithm rsasha256 2048;
zsk key-directory lifetime unlimited
rsasha256 1024;
};
};
How can I enable ZSK rollover without immediately loosing the current
ZSK's DNSKEY?
The current ZSK is old and has these keys in the private file:
Private-key-format: v1.3
Created: 20151010091913
Publish: 20151010091913
Activate: 20151010091913
With the "myway" policy, named added the keys below when I switched from
auto-dnssec to dnssec-policy.
Inactive: 20151209091913
Delete: 20151219102413
Why does named add new keys with past dates?
Another problem: Even after running "rndc dnssec -checkds published
example.com" the KSK stays in DSState rumoured. I've got the following
messages in the log:
keymgr: checkds DS for key example.com/RSASHA256/12345
seen published at Mon Jan 30 10:58:16 2023
zone example.com/IN (signed): reconfiguring zone keys
I have Bind 9.18.10 on Fedora 37. A year ago I had Bind 9.16.23 on
Fedora 35.
Kind regards,
Andreas
More information about the bind-users
mailing list