Hello, I recently moved a few zones from "auto-dnssec maintain" to "dnssec-policy ..." to prepare for simpler/automatic key rotation in the future.
For the time being I have configured my policy with separate KSK and ZSK and unlimited key life times to replicate the old setup as closely as possible. I also had a few old and outdated keys lying around, and would like to keep those, so my policy has "purge-keys 0". All other policy settings are default. The setup is mostly working as expected - which is great. But there is one issue which has suprised me, and which is slightly annoying since it tends to set off a few security warnings: All the key related files are now touched by BIND once an hour, whether they are modified or not. Which they obviously nevery should be, given my current policy. This is particularily surprising wrt the deleted keys. But it's equally unnecessary with the current keys. And touching those is actually more annoying since it's an unexpected file system operation with real security implications. Or at least it feels that way... I guess an example illustrates the issue best: bjorn@louie:/etc/bind/dnssec/dyn.mork.no$ ls -l total 48 -rw-r--r-- 1 bind bind 535 Apr 24 09:37 Kdyn.mork.no.+005+00318.key -rw------- 1 bind bind 1058 Apr 24 09:37 Kdyn.mork.no.+005+00318.private -rw-r--r-- 1 bind bind 520 Apr 24 09:37 Kdyn.mork.no.+005+00318.state -rw-r--r-- 1 bind bind 711 Apr 24 09:37 Kdyn.mork.no.+005+36391.key -rw------- 1 bind bind 1822 Apr 24 09:37 Kdyn.mork.no.+005+36391.private -rw-r--r-- 1 bind bind 590 Apr 24 09:37 Kdyn.mork.no.+005+36391.state -rw-r--r-- 1 bind bind 342 Apr 24 09:37 Kdyn.mork.no.+013+32300.key -rw------- 1 bind bind 187 Apr 24 09:37 Kdyn.mork.no.+013+32300.private -rw-r--r-- 1 bind bind 447 Apr 24 09:37 Kdyn.mork.no.+013+32300.state -rw-r--r-- 1 bind bind 398 Apr 24 09:37 Kdyn.mork.no.+013+63342.key -rw------- 1 bind bind 215 Apr 24 09:37 Kdyn.mork.no.+013+63342.private -rw-r--r-- 1 bind bind 571 Apr 24 09:37 Kdyn.mork.no.+013+63342.state bjorn@louie:/etc/bind/dnssec/dyn.mork.no$ date Sun Apr 24 10:28:22 BST 2022 bjorn@louie:/etc/bind/dnssec/dyn.mork.no$ cat Kdyn.mork.no.+005+00318.key ; This is a zone-signing key, keyid 318, for dyn.mork.no. ; Created: 20170611145248 (Sun Jun 11 15:52:48 2017) ; Publish: 20170611145248 (Sun Jun 11 15:52:48 2017) ; Activate: 20170611145248 (Sun Jun 11 15:52:48 2017) ; Inactive: 20181012184500 (Fri Oct 12 19:45:00 2018) ; Delete: 20181022195000 (Mon Oct 22 20:50:00 2018) dyn.mork.no. IN DNSKEY 256 3 5 AwEAAbDpSVlCP78U04SDDQEN9jzs/bgr2ms2Xr5bgkWKvueBPE80I7Su b94K/0SgHK83F6BFfkBhk6uGYt5SqlQIz4dyFltCCfue/2JZNYmAGq2g gFp1vKQvOiTmejf4sh+ATC8VnRbW4Kkx2mlJHcv2cy/tqR8VygMLfNvZ uzwPEnJB bjorn@louie:/etc/bind/dnssec/dyn.mork.no$ cat Kdyn.mork.no.+005+00318.state ; This is the state of key 318, for dyn.mork.no. Algorithm: 5 Length: 1024 KSK: no ZSK: yes Generated: 20170611145248 (Sun Jun 11 15:52:48 2017) Published: 20170611145248 (Sun Jun 11 15:52:48 2017) Active: 20170611145248 (Sun Jun 11 15:52:48 2017) Retired: 20181012184500 (Fri Oct 12 19:45:00 2018) Removed: 20181022195000 (Mon Oct 22 20:50:00 2018) DNSKEYChange: 20220405085059 (Tue Apr 5 09:50:59 2022) ZRRSIGChange: 20220405085059 (Tue Apr 5 09:50:59 2022) DNSKEYState: hidden ZRRSIGState: hidden GoalState: hidden bjorn@louie:/etc/bind/dnssec/dyn.mork.no$ ls -l total 48 -rw-r--r-- 1 bind bind 535 Apr 24 10:37 Kdyn.mork.no.+005+00318.key -rw------- 1 bind bind 1058 Apr 24 10:37 Kdyn.mork.no.+005+00318.private -rw-r--r-- 1 bind bind 520 Apr 24 10:37 Kdyn.mork.no.+005+00318.state -rw-r--r-- 1 bind bind 711 Apr 24 10:37 Kdyn.mork.no.+005+36391.key -rw------- 1 bind bind 1822 Apr 24 10:37 Kdyn.mork.no.+005+36391.private -rw-r--r-- 1 bind bind 590 Apr 24 10:37 Kdyn.mork.no.+005+36391.state -rw-r--r-- 1 bind bind 342 Apr 24 10:37 Kdyn.mork.no.+013+32300.key -rw------- 1 bind bind 187 Apr 24 10:37 Kdyn.mork.no.+013+32300.private -rw-r--r-- 1 bind bind 447 Apr 24 10:37 Kdyn.mork.no.+013+32300.state -rw-r--r-- 1 bind bind 398 Apr 24 10:37 Kdyn.mork.no.+013+63342.key -rw------- 1 bind bind 215 Apr 24 10:37 Kdyn.mork.no.+013+63342.private -rw-r--r-- 1 bind bind 571 Apr 24 10:37 Kdyn.mork.no.+013+63342.state bjorn@louie:/etc/bind/dnssec/dyn.mork.no$ date Sun Apr 24 10:38:58 BST 2022 Is this expected or am I doing something wrong? And if this is expected, then why? FWIW, I am running the Debian stable BIND packagae, which should be pretty much a plain recent 9.16: bjorn@louie:~$ named -V BIND 9.16.27-Debian (Extended Support Version) <id:96094c5> running on Linux x86_64 5.10.0-13-amd64 #1 SMP Debian 5.10.106-1 (2022-03-17) built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -ffile-prefix-map=/build/bind9-wQCDJA/bind9-9.16.27=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' compiled by GCC 10.2.1 20210110 compiled with OpenSSL version: OpenSSL 1.1.1k 25 Mar 2021 linked to OpenSSL version: OpenSSL 1.1.1n 15 Mar 2022 compiled with libuv version: 1.40.0 linked to libuv version: 1.40.0 compiled with libxml2 version: 2.9.10 linked to libxml2 version: 20910 compiled with json-c version: 0.15 linked to json-c version: 0.15 compiled with zlib version: 1.2.11 linked to zlib version: 1.2.11 linked to maxminddb version: 1.5.2 compiled with protobuf-c version: 1.3.3 linked to protobuf-c version: 1.3.3 threads support is enabled default paths: named configuration: /etc/bind/named.conf rndc configuration: /etc/bind/rndc.conf DNSSEC root key: /etc/bind/bind.keys nsupdate session key: //run/named/session.key named PID file: //run/named/named.pid named lock file: //run/named/named.lock geoip-directory: /usr/share/GeoIP Bjørn -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
