AW: migration from auto-dnssec to dnssec-policy deletes keys immediately

Klaus Darilion klaus.darilion at nic.at
Mon Jan 8 13:52:46 UTC 2024 

Hi all!



I also know a colleague which was hit by the same issue, causing problems to their zone.



Migrating from auto-dnssec to dnssec-policy can lead to operational issues. For example that problem with different algos should be mentioned in https://kb.isc.org/docs/dnssec-key-and-signing-policy



Further, I suggest to add something like the following sentence to that article: Changing DNSSEC configuration can lead to unexpected zone changes and should be tested on dedicated test systems before. If you do this on a hidden master, you could also temporarily disable outgoing XFR by configuring 'allow-transfer {"none";};' on that zone to prevent leakage of broken DNSSEC zones. This way you can check the zone after migration and only after successful testing (i.e. using https://dnsviz.net/d/ops.nic.at/analyze/ with advanced options, pointing directly to the hidden master) re-enable outgoing XFR.



Regards

Klaus

Von: bind-users <bind-users-bounces at lists.isc.org> Im Auftrag von Nick Tait via bind-users
Gesendet: Donnerstag, 28. Dezember 2023 04:01
An: bind-users at lists.isc.org
Betreff: Re: migration from auto-dnssec to dnssec-policy deletes keys immediately

On 28 Dec 2023, at 1:05 PM, Adrian Zaugg <lists.isc.org at mailgurgler.com<mailto:lists.isc.org at mailgurgler.com>> wrote:
2023-12-27 23:51:24: zone myzone.ch/IN (signed): reconfiguring zone keys
2023-12-27 23:51:24: keymgr: retire DNSKEY myzone.ch/ECDSAP256SHA256/14076
(KSK)
2023-12-27 23:51:24: keymgr: retire DNSKEY myzone.ch/ECDSAP256SHA256/3654
(ZSK)
2023-12-27 23:51:24: keymgr: DNSKEY myzone.ch/ED25519/2336 (KSK) created for
policy mypolicy
2023-12-27 23:51:24: keymgr: DNSKEY myzone.ch/ED25519/35413 (ZSK) created for
policy mypolicy

Your DNSSEC policy “mypolicy” specifies a different algorithm (ED25519) to what was previously in effect (ECDSAP256SHA256), which is why Bind generated new keys. If you want Bind to keep the old keys when transitioning to dnssec-policy you should initially specify the same algorithm in your policy.

My understanding is that after you’ve transitioned to using dnssec-policy you should be able to change the algorithm and Bind should do a graceful roll-over? Just make sure everything is “omnipresent” in your state files (in the keys directory) first.

Nick.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240108/886e91d2/attachment.htm>

More information about the bind-users mailing list