migration from auto-dnssec to dnssec-policy deletes keys immediately
Adrian Zaugg
lists.isc.org at mailgurgler.com
Thu Dec 28 11:58:00 UTC 2023
Hi Nick
Not changing the key algo does help indeed when introducing dnssec-policy, see
the log below. Thank you very much for pointing this out.
But I do not understand why BIND deletes valid and published keys, just
because there should be another algo used. Couldn't this be done in a smooth
key rollover process aswell? Maybe someone with more insights than I have,
could explain this behaviour. Thanks!
Best regards, Adrian.
Log of successful change from auto-dnssec to dnssec-policy (using the same
algo):
2023-12-28 11:53:00: zone myzone.ch/IN (signed): generated salt: [...]
2023-12-28 11:53:00: zone myzone.ch/IN (signed): checkds: set 4 parentals
2023-12-28 11:53:01: zone myzone.ch/IN (signed): zone_addnsec3chain(1,CREATE,
32,[...])
2023-12-28 11:53:01: zone myzone.ch/IN (signed): reconfiguring zone keys
2023-12-28 11:53:01: keymgr: DNSKEY myzone.ch/ECDSAP256SHA256/50817 (ZSK)
created for policy mypolicy_ecdsa
2023-12-28 11:53:01: Permissions on the file /var/lib/bind/keys/Kmyzone.ch.
+013+61287.private have changed from 0640 to 0600 as a result of this
operation.
2023-12-28 11:53:01: Permissions on the file /var/lib/bind/keys/Kmyzone.ch.
+013+38348.private have changed from 0640 to 0600 as a result of this
operation.
2023-12-28 11:53:01: Fetching myzone.ch/ECDSAP256SHA256/50817 (ZSK) from key
repository.
2023-12-28 11:53:01: Key myzone.ch/ECDSAP256SHA256/50817: Delaying activation
to match the DNSKEY TTL (86400).
2023-12-28 11:53:01: DNSKEY myzone.ch/ECDSAP256SHA256/50817 (ZSK) is now
published
2023-12-28 11:53:01: DNSKEY myzone.ch/ECDSAP256SHA256/50817 (ZSK) is now
active
2023-12-28 11:53:01: CDS for key myzone.ch/ECDSAP256SHA256/61287 is now
published
2023-12-28 11:53:01: CDNSKEY for key myzone.ch/ECDSAP256SHA256/61287 is now
published
2023-12-28 11:53:01: zone myzone.ch/IN (signed): next key event: 28-Dec-2023
12:53:01.176
2023-12-28 11:53:01: zone myzone.ch/IN (signed): sending notifies (serial
2021010692)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20231228/d77309c9/attachment.sig>
More information about the bind-users
mailing list