auto-dnssec maintain and DNSKEY removal

[Mathew Ian Eis]

Hi BIND,

The documentation for auto-dnssec maintain suggests that named will remove DNSKEYs from zones when the deletion time marked in the metadata occurs [1]. Unfortunately, it seems this is not always the case.

We are currently trying to diagnose the source of residual DNSKEYs in our zones - despite our use of auto-dnssec maintain.

We think that in some cases, named may be choosing to use a key past the removal date (as in [2]), while our file maintenance process removes the keys as per their deletion date – after which named no longer has the necessary metadata to determine whether or not to remove the DNSKEY from the zone.

Does this sound possible? Are there any other circumstances that would lead named to not removed a DNSKEY in a timely manner?

Lastly, so long as a zone is properly signed with a different key, are there any concerns with manually removing the zombie DNSKEY records via an update even while auto-dnssec maintain is enabled?

Thanks in advance,

Mathew Eis
Northern Arizona University
Information Technology Services

[1] ftp://ftp.isc.org/isc/bind/9.8.0-P4/doc/arm/Bv9ARM.ch04.html
auto-dnssec maintain … will also automatically adjust the zone's DNSKEY records on schedule according to the keys' timing metadata.

[2] https://kb.isc.org/article/AA-00822/0/Automatic-DNSSEC-Zone-Signing-Key-rollover-explained.html
It may also be necessary for some keys to be used past their end date.  An example of this would be if a key is added but no following key is provided.  Rather than break the zone, the older key may continue to be used, with sufficient notification in the log files to indicate this is happening.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160701/903c9bce/attachment-0001.html>