AW: Bind 9, dnssec, and .key .private files physical deletion after the key id becomes deleted from zone (the key becomes outdated)

Mon Jan 24 13:58:14 UTC 2022

Hi Klaus, 

Thank you so much for your answer but when Bind deletes a key from a
zone, if I remember correctly, there should not be any rrsig still
active, signed previously by the deleted key. Isn't it?. So I assume in
that case, I should be doing it properly but still see these messages. 

Am I wrong Klaus in some statement?. If a ZSK is deleted (I'm not
renewing KSK at the moment) no RRSIG with that key should exist... 

Cheers!

El 2022-01-24 13:08, Klaus Darilion escribió:

> IIRC, Bind needs the key as long as there are signatures in the zone generated by this key. After key deactivation I waited the RRSIG lifetime before deleting them. 
> 
> regards 
> 
> Klaus 
> 
> VON: bind-users <bind-users-bounces at lists.isc.org> IM AUFTRAG VON egoitz--- via bind-users
> GESENDET: Montag, 24. Jänner 2022 13:00
> AN: bind-users at lists.isc.org
> BETREFF: Bind 9, dnssec, and .key .private files physical deletion after the key id becomes deleted from zone (the key becomes outdated) 
> 
> Good morning, 
> 
> I have a DNSSEC "bump in wire" server, which uses "inline-signing yes;"  and "auto-dnssec maintain;" for that reason. 
> 
> I do the task of ensuring always are valid keys in the zone with an script that generates them whenever is needed. All fine until here and all working. 
> 
> I have seen, that Bind logs in messages log file sometimes the following error logs : 
> 
> _dns_dnssec_keylistfromrdataset: error reading /xxx/xxx/xxx/xx-domain/named.aaa/aaa.xx.+008+41919.private: file not found_ 
> 
> That "file not found" is due to a rename of ".key" and ".private" files to ".key-OLD" and ".private-OLD". 
> 
> I did the rename, because I have seen that the ZSK key 41919 was set to be deleted (and obviously always renamed after that deletion date) from the zone, so I renamed the ".key" and ".private" files to ".key-OLD" and ".private-OLD". 
> 
> I do this rename, because this way my key checking script differentiates, any needed (in effect) key with the "supposedly" (I say supposedly because I would have said that Bind should not be using nowadays that non finding files for nothing!) non needed keys, in order to check that each zone, has always the needed keys for keeping properly signed by Bind (else it would generate them). 
> 
> As I previously commented, I check with a script the existence of all needed keys for each domain. Obviuosly, it's not the same checking a couple of ZSK or just one ZSK and a KSK (per domain), than them plus all outdated keys that each month become outdated. 
> 
> So, how many time should I wait in order to rename that files?. Should I handle them with another dnssec-______ command instead of renaming?. All seems to be working well but I see these errors and was wondering if I could improve the way of handling outdated keys. 
> 
> I have been taking a look at the source code of Bind (the tag of version I'm using), and I have seen that Bind seems not remove any of that key files when they become outdated. Or does it with some param?. I have not been able to find it. I have been taking a look too the ARM, but still no luck on finding the answers I was trying to. 
> 
> Any help very appreciated, 
> 
> Best regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220124/53f8a8e9/attachment-0001.htm>