After switching to "dnssec-policy", existing RRs are still signed with the "old" ZSK

Mark Andrews marka at isc.org
Wed May 11 09:26:48 UTC 2022 

Signature-refresh determines when the RRSIGs will be replaced by looking at the expiration time and working backwards. New RRSIGs are generate Using signature-interval. 

-- 
Mark Andrews

> On 11 May 2022, at 18:15, Tom <lists at verreckte-cheib.ch> wrote:
> 
> Hi list
> 
> After switching from "semi-automatic"-signing to dnssec-policy (everything identical, except new ZSK rollover) I have the following rndc output:
> 
> $ rndc dnssec -status example.ch
> dnssec-policy: 60d_zsk_rollover
> current time:  Wed May 11 09:54:55 2022
> 
> key: 45819 (ECDSAP256SHA256), KSK
>  published:      yes - since Mon Apr 27 08:00:01 2020
>  key signing:    yes - since Mon Apr 27 08:00:01 2020
> 
>  No rollover scheduled
>  - goal:           omnipresent
>  - dnskey:         omnipresent
>  - ds:             omnipresent
>  - key rrsig:      omnipresent
> 
> key: 17242 (ECDSAP256SHA256), ZSK
>  published:      yes - since Mon May  9 16:25:59 2022
>  zone signing:   yes - since Mon May  9 17:30:59 2022
> 
>  Next rollover scheduled on Fri Jul  8 15:25:59 2022
>  - goal:           omnipresent
>  - dnskey:         omnipresent
>  - zone rrsig:     rumoured
> 
> key: 52021 (ECDSAP256SHA256), ZSK
>  published:      yes - since Mon Apr 27 08:00:01 2020
>  zone signing:   no
> 
>  Key is retired, will be removed on Mon Jul  6 09:05:01 2020
>  - goal:           hidden
>  - dnskey:         omnipresent
>  - zone rrsig:     unretentive
> 
> 
> 
> The ZSK 52021 is the old one (from semi-automatic), the ZSK 17242 is the new one, which was created after reloading named while applying the new dnssec-policy.
> 
> The current behavior I see is, that already existing RR are still signed with the "old" key (52021) and newly created RR are signed with the new ZSK (17242). Is this normal behavior and yes, after which time will the existing RR also be signed with the new ZSK (17242)?
> 
> The dnssec-policy configuration looks like this:
> 
> dnssec-policy "60d_zsk_rollover" {
>    signatures-refresh 5d;
>    signatures-validity 14d;
>    signatures-validity-dnskey 14d;
> 
>    dnskey-ttl 3600s;
>    publish-safety 1h;
>    retire-safety 1h;
>    purge-keys 10d;
> 
>    keys {
>        ksk lifetime unlimited algorithm ecdsap256sha256;
>        zsk lifetime 60d algorithm ecdsap256sha256;
>    };
> 
>    zone-propagation-delay 300s;
>    max-zone-ttl 86400s;
> 
>    parent-propagation-delay 1h;
>    parent-ds-ttl 3600;
>    nsec3param iterations 0 optout no salt-length 0;
> };
> 
> 
> 
> Many thanks for hints/explanations.
> Best regards,
> Tom
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list