Changing ZSK-lifetime in dnssec-policy is not applied

Matthijs Mekking matthijs at isc.org
Mon Feb 14 08:59:04 UTC 2022 

Hi Tom,

The lifetime is applied to new keys, so when the ZSK is rolled the 
lifetime of the successor key should be 60 days.

I have considered applying it to existing keys as well (and maybe we 
will some day), but there are a bunch of corner cases that make it 
non-trivial, especially when keys are involved that are in the middle of 
a rollover.

Best regards,
   Matthijs

On 11-02-2022 13:16, Tom wrote:
> Hi
> 
> Using BIND-9.16.22 and dnssec-policy:
> 
> I've migrated an already existing and signing "auto-dnssec"-configured 
> zone to dnssec-policy (same algorithms). That worked without any issues. 
> After a while, I changed the ZSK lifetime from 30d to 60d (see below) in 
> the dnssec-policy:
> 
> dnssec-policy "thewaytogo" {
>      signatures-refresh 5d;
>      signatures-validity 14d;
>      signatures-validity-dnskey 14d;
> 
>      dnskey-ttl 3600s;
>      publish-safety 1h;
>      retire-safety 1h;
>      purge-keys 10d;
> 
>      keys {
>          ksk lifetime unlimited algorithm ecdsap256sha256;
>          zsk lifetime 60d algorithm ecdsap256sha256;
>      };
> 
>      zone-propagation-delay 300s;
>      max-zone-ttl 86400s;
> 
>      parent-propagation-delay 1h;
>      parent-ds-ttl 3600;
>      nsec3param iterations 0 optout no salt-length 0;
> };
> 
> 
> After reloading/restarting named, I can't see the new lifetime 
> (scheduled rollover), neither in the rndc-output, nor in the keyfile 
> itself (ZSK 63304). The new lifetime should be 12/13 Apr and not 13 Mar.
> 
> # rndc-output
> $ rndc dnssec -status example.com
> dnssec-policy: thewaytogo
> current time:  Fri Feb 11 13:02:10 2022
> 
> key: 455 (ECDSAP256SHA256), ZSK
>    published:      yes - since Wed May 20 14:50:09 2020
>    zone signing:   no
> 
>    Key is retired, will be removed on Mon Jun 29 15:55:09 2020
>    - goal:           hidden
>    - dnskey:         omnipresent
>    - zone rrsig:     unretentive
> 
> key: 63304 (ECDSAP256SHA256), ZSK
>    published:      yes - since Fri Feb 11 08:19:18 2022
>    zone signing:   yes - since Fri Feb 11 09:24:18 2022
> 
>    Next rollover scheduled on Sun Mar 13 07:19:18 2022
>    - goal:           omnipresent
>    - dnskey:         omnipresent
>    - zone rrsig:     rumoured
> 
> key: 39500 (ECDSAP256SHA256), KSK
>    published:      yes - since Wed May 20 14:50:09 2020
>    key signing:    yes - since Wed May 20 14:50:09 2020
> 
>    No rollover scheduled
>    - goal:           omnipresent
>    - dnskey:         omnipresent
>    - ds:             omnipresent
>    - key rrsig:      omnipresent
> 
> 
> 
> # key-file
> ; This is the state of key 63304, for example.com.
> Algorithm: 13
> Length: 256
> Lifetime: 2592000
> Predecessor: 455
> KSK: no
> ZSK: yes
> Generated: 20220211071918 (Fri Feb 11 08:19:18 2022)
> Published: 20220211071918 (Fri Feb 11 08:19:18 2022)
> Active: 20220211082418 (Fri Feb 11 09:24:18 2022)
> Retired: 20220313082418 (Sun Mar 13 09:24:18 2022)
> Removed: 20220323092918 (Wed Mar 23 10:29:18 2022)
> DNSKEYChange: 20220211092418 (Fri Feb 11 10:24:18 2022)
> ZRRSIGChange: 20220211092418 (Fri Feb 11 10:24:18 2022)
> DNSKEYState: omnipresent
> ZRRSIGState: rumoured
> GoalState: omnipresent
> 
> 
> 
> Any hints for this?
> 
> Many thanks.
> 
> Best regards,
> Tom

More information about the bind-users mailing list