[KASP] Key rollover

Thu Jan 19 08:12:34 UTC 2023

Hi Adrien,

Without any logs or key **state** files, I can't really tell what is 
going on.

My only gut feeling is that you have never signaled BIND 9 that the DS 
has been published. You can run 'rndc dnssec -checkds -key 12345 
published example.com' or set up parental-agents to do it for you.

Best regards,

Matthijs

On 1/17/23 09:38, adrien sipasseuth wrote:
> Hello,
> 
> I put the management of DNSSEC with KASP, the zone is well functional. 
> (dig with "AD" flag etc)
> 
> On the other hand, I can't see when the key rollover period for my KSK 
> is over (2 KSKs with a dig DNSKEY...)
> 
> Without KASP, it was easy because I generated the second KSK key but 
> with KASP, it is managed automatically.
> 
> So, I have to adapt my scripts to check that there is :
>   - a used KSK key and a next KSK key
>   - Or only one KSK key used (if we are not in rollover phase)
> 
> Except that with my current policy, I never see 2 KSKs via a "dig 
> DNSKEY...".
> here is my policy :
> 
> dnssec-policy "test" {
>      keys {
>          ksk lifetime P7D algorithm ecdsa256;
>          zsk lifetime P3D algorithm ecdsa256;
>      };
>      purge-keys 1d;
>      publish-safety 3d;
>      retire-safety 3d;
> };
> 
> I see either my KSK in use or my next KSK (via "dig DNSKEY...") but 
> never both at the same time.
> 
> Is this a normal behavior or am I doing it wrong?
> 
> Regards, Adrien
> 