How to migrate dnssec algorithm smoothly from auto-dnssec to dnssec-policy?

Fri Jan 15 10:49:31 UTC 2021

Howdy,

I have a domain which is being signed automatically using auto-dnssec on an older bind9, it uses RSASHA1 keys. Now the registry requires us to move to a more secure algorithm. Therefore I updated bind to bind9.16.6. Now I could switch to dnssec-policy, however if I change the algorithm, it immediately drops the old keys instead of retiring them. I didn't find any hint in the docs or on the net how to do this.

So this was the old config:

zone "customer.bank" in {
  type master;
  file "zone/master/customer.bank";   
  key-directory "/usr/local/etc/namedb/zone/keys";
  auto-dnssec maintain;
  inline-signing yes;
  dnssec-dnskey-kskonly yes;
};

Now after upgrading I changed it to:

dnssec-policy "eval" {
    keys {
        ksk lifetime 2d algorithm rsasha1;
        zsk lifetime 2d algorithm rsasha1;
        ksk lifetime 365d algorithm ecdsap256sha256;
        zsk lifetime 60d algorithm ecdsap256sha256;
    };
};

zone "helaba.bank" in {
  type master;
  file "zone/master/helaba.bank";   
  key-directory "/usr/local/etc/namedb/zone/keys";
  dnssec-policy "eval";
};

My idea was to retire the rsasha1 keys after 2 days and then replace them with the newly generated ones. However, this is what bind actually did:

15-Jan-2021 11:20:46.036 zoneload: zone customer.bank/IN (unsigned): loaded serial 2020100500
15-Jan-2021 11:20:46.042 zoneload: zone customer.bank/IN (signed): loaded serial 2020100551 (DNSSEC signed)
15-Jan-2021 11:20:46.049 general: zone customer.bank/IN (signed): receive_secure_serial: unchanged
15-Jan-2021 11:20:46.297 notify: zone customer.bank/IN (signed): sending notifies (serial 2020100551)
15-Jan-2021 11:20:46.297 dnssec: zone customer.bank/IN (signed): reconfiguring zone keys
15-Jan-2021 11:20:46.311 dnssec: keymgr: retire DNSKEY customer.bank/RSASHA256/31284 (ZSK)
15-Jan-2021 11:20:46.311 dnssec: keymgr: retire DNSKEY customer.bank/RSASHA256/39364 (KSK)
15-Jan-2021 11:20:46.664 dnssec: keymgr: DNSKEY customer.bank/RSASHA1/14477 (KSK) created for policy eval
15-Jan-2021 11:20:46.868 dnssec: keymgr: DNSKEY customer.bank/RSASHA1/61258 (ZSK) created for policy eval
15-Jan-2021 11:20:46.868 dnssec: keymgr: DNSKEY customer.bank/ECDSAP256SHA256/41200 (KSK) created for policy eval
15-Jan-2021 11:20:46.868 dnssec: keymgr: DNSKEY customer.bank/ECDSAP256SHA256/55282 (ZSK) created for policy eval
15-Jan-2021 11:20:46.938 dnssec: DNSKEY customer.bank/RSASHA256/31284 (ZSK) is now deleted
15-Jan-2021 11:20:46.938 dnssec: DNSKEY customer.bank/RSASHA256/39364 (KSK) is now deleted
15-Jan-2021 11:20:46.939 dnssec: Fetching customer.bank/RSASHA1/14477 (KSK) from key repository.
15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/RSASHA1/14477 (KSK) is now published
15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/RSASHA1/14477 (KSK) is now active
15-Jan-2021 11:20:46.939 dnssec: Fetching customer.bank/RSASHA1/61258 (ZSK) from key repository.
15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/RSASHA1/61258 (ZSK) is now published
15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/RSASHA1/61258 (ZSK) is now active
15-Jan-2021 11:20:46.939 dnssec: Fetching customer.bank/ECDSAP256SHA256/41200 (KSK) from key repository.
15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/ECDSAP256SHA256/41200 (KSK) is now published
15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/ECDSAP256SHA256/41200 (KSK) is now active
15-Jan-2021 11:20:46.939 dnssec: Fetching customer.bank/ECDSAP256SHA256/55282 (ZSK) from key repository.
15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/ECDSAP256SHA256/55282 (ZSK) is now published
15-Jan-2021 11:20:46.939 dnssec: DNSKEY customer.bank/ECDSAP256SHA256/55282 (ZSK) is now active
15-Jan-2021 11:20:46.985 dnssec: zone customer.bank/IN (signed): next key event: 15-Jan-2021 13:20:46.297
15-Jan-2021 11:20:51.305 notify: zone customer.bank/IN (signed): sending notifies (serial 2020100558)

In fact it created 2 new key pairs, one for rsasha1 and one for ecdsap256sha256.

I am pretty sure my setup is invalid somehow.

So how could I configure bind so that it keeps the existing rsasha1 keys for a while and use the new ones only afterwards?

Best regards,
Tom