migration from auto-dnssec to dnssec-policy deletes keys immediately
Nick Tait
nick at tait.net.nz
Thu Dec 28 03:01:27 UTC 2023
> On 28 Dec 2023, at 1:05 PM, Adrian Zaugg <lists.isc.org at mailgurgler.com> wrote:
>
> 2023-12-27 23:51:24: zone myzone.ch/IN (signed): reconfiguring zone keys
> 2023-12-27 23:51:24: keymgr: retire DNSKEY myzone.ch/ECDSAP256SHA256/14076
> (KSK)
> 2023-12-27 23:51:24: keymgr: retire DNSKEY myzone.ch/ECDSAP256SHA256/3654
> (ZSK)
> 2023-12-27 23:51:24: keymgr: DNSKEY myzone.ch/ED25519/2336 (KSK) created for
> policy mypolicy
> 2023-12-27 23:51:24: keymgr: DNSKEY myzone.ch/ED25519/35413 (ZSK) created for
> policy mypolicy
Your DNSSEC policy “mypolicy” specifies a different algorithm (ED25519) to what was previously in effect (ECDSAP256SHA256), which is why Bind generated new keys. If you want Bind to keep the old keys when transitioning to dnssec-policy you should initially specify the same algorithm in your policy.
My understanding is that after you’ve transitioned to using dnssec-policy you should be able to change the algorithm and Bind should do a graceful roll-over? Just make sure everything is “omnipresent” in your state files (in the keys directory) first.
Nick.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20231228/48820c8e/attachment.htm>
More information about the bind-users
mailing list