Still seeing some ALG-7 DNSSE
Matthijs Mekking
matthijs at isc.org
Tue Apr 6 07:13:58 UTC 2021
Most likely you have to delete those files manually.
In 9.16.13, a new "dnssec-policy" option is introduced, "purge-keys". By
default the keys are retained for 90 days after their latest usage. So
in that case keys will be cleaned up automatically.
If you run a lower version, or if you set "purge-keys 0;" (disabled),
you have to purge key files manually.
Best regards,
Matthijs
On 05-04-2021 18:27, @lbutlr wrote:
> If I do:
>
> cd /etc/named/working/main/
> for i in *; do dig $i +dnssec | grep "A 13 2" | awk '{print $1}';done
>
> I see a list of all the domains on the system, so that's good, everything has a ALG-13 signature.
>
> If I do
>
> for i in *; do dig $i +dnssec | grep "A 7 2" | awk '{print $1}';done
>
> I see a list of a handful of domains that still have ALG-7 signatures. This is confirmed by a warning in dnsviz.
>
> I don't see any differences in the configurations, and none of the main records on the registrar list ALG-7 anymore, only ALG-13.
>
> All of the domains are setup with dnssec-policy default.
>
> Thera re still 007 keyholes on the system for ALL domains (unexpected), updated every hour (expected).
>
> 8 -rw-r--r-- 1 bind bind 1.0K Apr 5 06:21 Kkreme.com.+007+01083.key
> 8 -rw-r--r-- 1 bind bind 587B Apr 5 06:21 Kkreme.com.+007+01083.state
> 8 -rw------- 1 bind bind 3.3K Apr 5 06:21 Kkreme.com.+007+01083.private
> 8 -rw-r--r-- 1 bind bind 708B Apr 5 06:21 Kkreme.com.+007+30512.key
> 8 -rw-r--r-- 1 bind bind 520B Apr 5 06:21 Kkreme.com.+007+30512.state
> 8 -rw------- 1 bind bind 1.8K Apr 5 06:21 Kkreme.com.+007+30512.private
> 8 -rw-r--r-- 1 bind bind 399B Apr 5 06:21 Kkreme.com.+013+29597.key
> 8 -rw-r--r-- 1 bind bind 651B Apr 5 06:21 Kkreme.com.+013+29597.state
> 8 -rw------- 1 bind bind 215B Apr 5 06:21 Kkreme.com.+013+29597.private
>
> This domain does not show any ALG-7 keys in dig:
>
> # dig kreme.com +dnssec +short
> 65.121.55.45
> A 13 2 3600 20210415161448 20210401155316 29597 kreme.com. Sea2LPlKGeH/aP1kwONwtuH0Jkp2TVHNb/v9PEOUiVQVzCwKMkg79+K9 bE8yhNQ2vLV4Fxvzk4jknP8Cbq98lQ==
>
> Is there anything I need to do here or not? Will those alg-7 key files continue to hang around forever? Do I need to do something to get dnsviz and dig +dnssec to stop reporting the old keys or is that like propagation and it will sort itself out? I don't see a pattern in the domains that are still showing alg-7 but it is possible they had the DS/registrar info updated later than the other domains.
>
More information about the bind-users
mailing list