migration from auto-dnssec to dnssec-policy deletes keys immediately
Adrian Zaugg
lists.isc.org at mailgurgler.com
Thu Dec 28 00:03:43 UTC 2023
Dear List
Trying to migrate a zone from auto-dnssec
zone "myzone.ch" {
key-directory "/var/lib/bind/keys";
auto-dnssec maintain;
inline-signing yes;
type master;
[...]
to dnssec-policy
zone "myzone.ch" {
key-directory "/var/lib/bind/keys";
dnssec-policy "mypolicy";
inline-signing yes;
parental-agents { "quad9"; };
type master;
[...]
my BIND version 9.18.19 deletes the published and valid keys immediately with
newly created ones.
As I understand, BIND should make a smooth keyrollover keeping the old keys
around for a while and wait until the new keys have a delegation signer record
in the parent zone before the old ones get withdrawn and deleted.
What am I doing wrong?
Thank you for your help.
Best regards, Adrian.
Relevant log entries:
2023-12-27 23:51:24: zone myzone.ch/IN (signed): reconfiguring zone keys
2023-12-27 23:51:24: keymgr: retire DNSKEY myzone.ch/ECDSAP256SHA256/14076
(KSK)
2023-12-27 23:51:24: keymgr: retire DNSKEY myzone.ch/ECDSAP256SHA256/3654
(ZSK)
2023-12-27 23:51:24: keymgr: DNSKEY myzone.ch/ED25519/2336 (KSK) created for
policy mypolicy
2023-12-27 23:51:24: keymgr: DNSKEY myzone.ch/ED25519/35413 (ZSK) created for
policy mypolicy
2023-12-27 23:51:24: Permissions on the file /var/lib/bind/keys/Kmyzone.ch.
+013+14076.private have changed from 0640 to 0600 as a result of this
operation.
2023-12-27 23:51:24: Permissions on the file /var/lib/bind/keys/Kmyzone.ch.
+013+03654.private have changed from 0640 to 0600 as a r
esult of this opera
2023-12-27 23:51:24: Removing expired key myzone.ch/14076/ECDSAP256SHA256 from
DNSKEY RRset.
2023-12-27 23:51:24: DNSKEY myzone.ch/ECDSAP256SHA256/14076 (KSK) is now
deleted
2023-12-27 23:51:24: Removing expired key myzone.ch/3654/ECDSAP256SHA256 from
DNSKEY RRset.
2023-12-27 23:51:24: DNSKEY myzone.ch/ECDSAP256SHA256/3654 (ZSK) is now
deleted
2023-12-27 23:51:24: Fetching myzone.ch/ED25519/2336 (KSK) from key
repository.
2023-12-27 23:51:24: DNSKEY myzone.ch/ED25519/2336 (KSK) is now published
2023-12-27 23:51:24: DNSKEY myzone.ch/ED25519/2336 (KSK) is now active
2023-12-27 23:51:24: Fetching myzone.ch/ED25519/35413 (ZSK) from key
repository.
2023-12-27 23:51:24: DNSKEY myzone.ch/ED25519/35413 (ZSK) is now published
2023-12-27 23:51:24: DNSKEY myzone.ch/ED25519/35413 (ZSK) is now active
2023-12-27 23:51:24: zone myzone.ch/IN (signed): zone_addnsec3chain(1,CREATE,
32,68[...])
2023-12-27 23:51:24: zone myzone.ch/IN (signed): next key event: 27-Dec-2023
23:56:24.191
My policy looks like:
dnssec-policy "mypolicy" {
dnskey-ttl 3600;
keys {
ksk lifetime P5Y algorithm ED25519;
zsk lifetime 60d algorithm ED25519;
};
nsec3param iterations 32 optout no salt-length 16;
publish-safety 1h;
retire-safety 7d;
};
...and the parental-agents are Quad9:
parental-agents "quad9" {
9.9.9.9;
149.112.112.112;
2620:fe::fe;
2620:fe::9;
};
....the old key has the following times set after the configuration change:
$ dnssec-settime -p all /etc/bind/keys/myzone.ch.+013+14076.key
Created: Wed Jul 10 10:49:51 2019
Publish: Wed Jul 10 10:49:51 2019
Activate: Wed Jul 10 10:49:51 2019
Revoke: UNSET
Inactive: Wed Dec 27 23:51:24 2023
Delete: Fri Jan 5 00:51:24 2024
SYNC Publish: UNSET
SYNC Delete: UNSET
DS Publish: UNSET
DS Delete: UNSET
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20231228/416a7e23/attachment.sig>
More information about the bind-users
mailing list