Still seeing some ALG-7 DNSSE

Matthijs Mekking matthijs at isc.org
Tue Apr 6 07:13:58 UTC 2021 

Most likely you have to delete those files manually.

In 9.16.13, a new "dnssec-policy" option is introduced, "purge-keys". By 
default the keys are retained for 90 days after their latest usage. So 
in that case keys will be cleaned up automatically.

If you run a lower version, or if you set "purge-keys 0;" (disabled), 
you have to purge key files manually.

Best regards,

Matthijs



On 05-04-2021 18:27, @lbutlr wrote:
> If I do:
> 
> cd /etc/named/working/main/
> for i in *; do dig $i +dnssec | grep "A 13 2" | awk '{print $1}';done
> 
> I see a list of all the domains on the system, so that's good, everything has a ALG-13 signature.
> 
> If I do
> 
> for i in *; do dig $i +dnssec | grep "A 7 2" | awk '{print $1}';done
> 
> I see a list of a handful of domains that still have ALG-7 signatures. This is confirmed by a warning in dnsviz.
> 
> I don't see any differences in the configurations, and none of the main records on the registrar list ALG-7 anymore, only ALG-13.
> 
> All of the domains are setup with  dnssec-policy default.
> 
> Thera re still 007 keyholes on the system for ALL domains (unexpected), updated every hour  (expected).
> 
>   8 -rw-r--r--  1 bind  bind   1.0K Apr  5 06:21 Kkreme.com.+007+01083.key
>   8 -rw-r--r--  1 bind  bind   587B Apr  5 06:21 Kkreme.com.+007+01083.state
>   8 -rw-------  1 bind  bind   3.3K Apr  5 06:21 Kkreme.com.+007+01083.private
>   8 -rw-r--r--  1 bind  bind   708B Apr  5 06:21 Kkreme.com.+007+30512.key
>   8 -rw-r--r--  1 bind  bind   520B Apr  5 06:21 Kkreme.com.+007+30512.state
>   8 -rw-------  1 bind  bind   1.8K Apr  5 06:21 Kkreme.com.+007+30512.private
>   8 -rw-r--r--  1 bind  bind   399B Apr  5 06:21 Kkreme.com.+013+29597.key
>   8 -rw-r--r--  1 bind  bind   651B Apr  5 06:21 Kkreme.com.+013+29597.state
>   8 -rw-------  1 bind  bind   215B Apr  5 06:21 Kkreme.com.+013+29597.private
> 
> This domain does not show any ALG-7 keys in dig:
> 
> # dig kreme.com +dnssec +short
> 65.121.55.45
> A 13 2 3600 20210415161448 20210401155316 29597 kreme.com. Sea2LPlKGeH/aP1kwONwtuH0Jkp2TVHNb/v9PEOUiVQVzCwKMkg79+K9 bE8yhNQ2vLV4Fxvzk4jknP8Cbq98lQ==
> 
> Is there anything I need to do here or not? Will those alg-7 key files continue to hang around forever? Do I need to do something to get dnsviz and dig +dnssec to stop reporting the old keys or is that like propagation and it will sort itself out? I don't see a pattern in the domains that are still showing alg-7 but it is possible they had the DS/registrar info updated later than the other domains.
>

More information about the bind-users mailing list