identifying DNSKEY by label

Mark Andrews marka at isc.org
Sun Jul 30 23:21:40 UTC 2023 

Firstly use dnssec-settime to manage the removal of the keys from the zone.  Named
periodically scans the key directory to see if a key has been marked to change state.
Note a key should not be remove from a zone while there are still RRSIGs that where
generated from it in the zone or in caches.

From the dnssec-settime man page

       -I date/offset
              This option sets the date on which the key is to be retired. After that date,
              the key is still included in the zone, but it is not used to sign it.

       -D date/offset
              This option sets the date on which the key is to be deleted. After that date,
              the key is no longer included in the zone. (However, it may remain in the key
              repository.)

The algorithm and key id are encoded into the file name.

The key files record the various dates in the key files with the
times recorded in UTC in ISO format.

e.g.
This key was created published and activated Tue Mar 22 14:17:34 2022.
It has not been inactivated (-I) or been marked for deletion from the zone (-D).

K.+005+12816.key:

; This is a zone-signing key, keyid 12816, for .
; Created: 20220322031734 (Tue Mar 22 14:17:34 2022)
; Publish: 20220322031734 (Tue Mar 22 14:17:34 2022)
; Activate: 20220322031734 (Tue Mar 22 14:17:34 2022)
. IN DNSKEY 256 3 5 AwEAAfOwUKzeKqoZ98OnL3Gr6bbgkRYP7C/e2pj1VRxwnkh+Uy/KJ+l4 n5wcJVe6wQubIdNrwsPuhOOUjvJZwFfoEZAA5XkAs8/u9iWO2zNRswAN S3twZtaLK/3wMDwagBNW3ELw8UvQiaoDvqNkTVYSUOMVEmmmJYLUCZwb rncN/nSEJswwgna+s0wrj8QByq/R/y9WN4F46BbgvANirFQZm3izhYLd HjZVWrVBaynBUnjMrU8JI88KPzz5PhhhCOX/7Keh3Xqj7dWOZn4cYD/3 Yx8qz+x3siJUtXQHp4SViKGIQX8FmEATDFRyL0nWAe+GfahdwaUYOE5x oF9AIKAUJsc=

K.+005+12816.private:

Private-key-format: v1.3
Algorithm: 5 (RSASHA1)
Modulus: 87BQrN4qqhn3w6cvcavptuCRFg/sL97amPVVHHCeSH5TL8on6XifnBwlV7rBC5sh02vCw+6E45SO8lnAV+gRkADleQCzz+72JY7bM1GzAA1Le3Bm1osr/fAwPBqAE1bcQvDxS9CJqgO+o2RNVhJQ4xUSaaYlgtQJnBuudw3+dIQmzDCCdr6zTCuPxAHKr9H/L1Y3gXjoFuC8A2KsVBmbeLOFgt0eNlVatUFrKcFSeMytTwkjzwo/PPk+GGEI5f/sp6HdeqPt1Y5mfhxgP/djHyrP7HeyIlS1dAenhJWIoYhBfwWYQBMMVHIvSdYB74Z9qF3BpRg4TnGgX0AgoBQmxw==
PublicExponent: AQAB
PrivateExponent: UEQShqYU8ntkLyc5yty/uhNk5pnvB2OFqB0i4B++Gw2088hH9jBbjk19BVUHsf1ymlNjzyqYzedIYE4suye+5SpOa1lOYN6KaBuSWuh9p7Y5VxrSXLdxkY6ULK/j4LrbCReYuwqg1YWvPN1UVdXpm6p8qpzlvR5/XdKGWEOdPR4HqTt22DpxStckrZ52g5vMZ+7/xurfrrw79h5rqauk03haQ0+WHMqoVTrvEXO7Ao2juFnX4gB/c7Qsx8tJvfk74w7H1r/AuaBYHkqMOce0Obpjq3fwqyS0tPElj702pCvdfDtZI2rY1PiUEjPEVtnlbrAw111vOyYwaAPy8RVw2Q==
Prime1: +mzLu2MYzX7U0dfwSu1J+VMYEeLIk5LDO5sBIdOTcR+i1MpF5gvqTu5/89weNYdSjgInZfgyntc0nZsj2jXCkWyPTKOtngx5KP67rLNtxdY+bD5HE7Ze985JVKwUaahnn6nTzf12lyDjbegVKyW/FL2IuYbZdiQ5Y9PKpYMWFI8=
Prime2: +R0g5/pd2jZV6Vj//L5rHB4OjyUEUnsdc6qs+vrrfzemTFAKjTjGyayXTYS82R3k5luxej5GNvji/J/Ly6eQnbFKI7dhPbOX2W1wSkhCOLgXPPSoBzQIeu/0XD1XJwhrf3IZt6HPw5NUBBY9yCP+2Tk58qDlOEnCpTNJeMC8Fkk=
Exponent1: nNeDCgvYvuuOsxbBosvXJtaKHrmg0fx7VluQa/UtRQ6BVzCQcrJHv8PUU5ErQm9MnzBuKIk4ew9iHsvJuqMtBxOs9F0XIgPB5pEUTefa+qtiUTz4Gzp/ZEjI2MUly77zl6Yvx7XVjnXEu1M93tY3RPAoL7prfHjXkNRW+S6Op7U=
Exponent2: iOibVyLgRbcrDC3fslYso61ZLw6XC4WiMBmTK/SPTMGW4cXzpp2XkusJ1I6pA2JMlNW7+oUTLc8nYNOpu2mCL0hqiKqWBMUZJWPiHNENpAJ4swV6+0p7hqUt1SvZJBiai9Z3j9acSs5DlGNs3Pv7agLreA85KvBOy2AedwDl3hE=
Coefficient: GCuVIunQ0WTXrXbug5L0Fn16fc28dBe+uHfLoNRix4p33ZPhAjahT6VLA5F7o9suwA98Ppc9IBh82qfJPqlk3v3nBV5GY5K+ivq4Huy4US9t19TqWog+tzmbVTYFzueXnJPzCPHtG7x5ps5PaxD17GDQWaSHK8idOijAPmbSOY4=
Created: 20220322031734
Publish: 20220322031734
Activate: 20220322031734



> On 29 Jul 2023, at 20:13, Axel Rau <Axel.Rau at Chaos1.DE> wrote:
> 
> Hi all,
> 
> I have several ZSKs in one zone, but only one is being
> used for signing.
> The others seem to be relicts from earlier rollovers.
> I would like to delete the unused DNSKEY RRs via nsupdate,
> but how can I identify a DNSKEY by label ?
> 
> The zone has not yet been converted to dnssec-policy but
> uses still auto-dnssec maintain.
> 
> Axel
> ---
> PGP-Key: CDE74120  ☀ mobile: +49 160 7568212
> computing @ chaos claudius
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list