migration from auto-dnssec to dnssec-policy deletes keys immediately

Matthijs Mekking matthijs at isc.org
Wed Jan 3 09:43:18 UTC 2024 

On 12/28/23 12:58, Adrian Zaugg wrote:
> Hi Nick
> 
> Not changing the key algo does help indeed when introducing dnssec-policy, see
> the log below. Thank you very much for pointing this out.
> 
> But I do not understand why BIND deletes valid and published keys, just
> because there should be another algo used. Couldn't this be done in a smooth
> key rollover process aswell? Maybe someone with more insights than I have,
> could explain this behaviour. Thanks!

I suspect because it did not have the right key states set. In order to 
do this all automatically we need to maintain state. Prior to 
dnssec-policy there is no such state. When migrating to dnssec-policy we 
try to derive the key states from the key timing metadata in the key files.

You should check if the migration is complete and all key states are in 
omnipresent. You can do so with 'rndc dnssec -status <zone>'. From that 
point on it should be safe to make policy configuration changes, such as 
algorithm rolls, and old keys are phased out smoothly.

I am thinking of adding an additional safety mechanism during migration, 
because you are not the first one to do this.

Best regards,
   Matthijs




> 
> Best regards, Adrian.
> 
> 
> Log of successful change from auto-dnssec to dnssec-policy (using the same
> algo):
> 2023-12-28 11:53:00: zone myzone.ch/IN (signed): generated salt: [...]
> 2023-12-28 11:53:00: zone myzone.ch/IN (signed): checkds: set 4 parentals
> 2023-12-28 11:53:01: zone myzone.ch/IN (signed): zone_addnsec3chain(1,CREATE,
> 32,[...])
> 2023-12-28 11:53:01: zone myzone.ch/IN (signed): reconfiguring zone keys
> 2023-12-28 11:53:01: keymgr: DNSKEY myzone.ch/ECDSAP256SHA256/50817 (ZSK)
> created for policy mypolicy_ecdsa
> 2023-12-28 11:53:01: Permissions on the file /var/lib/bind/keys/Kmyzone.ch.
> +013+61287.private have changed from 0640 to 0600 as a result of this
> operation.
> 2023-12-28 11:53:01: Permissions on the file /var/lib/bind/keys/Kmyzone.ch.
> +013+38348.private have changed from 0640 to 0600 as a result of this
> operation.
> 2023-12-28 11:53:01: Fetching myzone.ch/ECDSAP256SHA256/50817 (ZSK) from key
> repository.
> 2023-12-28 11:53:01: Key myzone.ch/ECDSAP256SHA256/50817: Delaying activation
> to match the DNSKEY TTL (86400).
> 2023-12-28 11:53:01: DNSKEY myzone.ch/ECDSAP256SHA256/50817 (ZSK) is now
> published
> 2023-12-28 11:53:01: DNSKEY myzone.ch/ECDSAP256SHA256/50817 (ZSK) is now
> active
> 2023-12-28 11:53:01: CDS for key myzone.ch/ECDSAP256SHA256/61287 is now
> published
> 2023-12-28 11:53:01: CDNSKEY for key myzone.ch/ECDSAP256SHA256/61287 is now
> published
> 2023-12-28 11:53:01: zone myzone.ch/IN (signed): next key event: 28-Dec-2023
> 12:53:01.176
> 2023-12-28 11:53:01: zone myzone.ch/IN (signed): sending notifies (serial
> 2021010692)
> 
>

More information about the bind-users mailing list