On Sun, Apr 24, 2022 at 11:58:44AM +0200, Bjørn Mork wrote: Hello, > I recently moved a few zones from "auto-dnssec maintain" to > "dnssec-policy ..." to prepare for simpler/automatic key rotation in the > future. > > For the time being I have configured my policy with separate KSK and ZSK > and unlimited key life times to replicate the old setup as closely as > possible. I also had a few old and outdated keys lying around, and > would like to keep those, so my policy has "purge-keys 0". All other > policy settings are default. > > The setup is mostly working as expected - which is great. But there is > one issue which has suprised me, and which is slightly annoying since it > tends to set off a few security warnings: All the key related files are > now touched by BIND once an hour, whether they are modified or not. > Which they obviously nevery should be, given my current policy.
I discover the same issue with bind 9.16.27 and FreeBSD 13.0 > This is particularily surprising wrt the deleted keys. But it's equally > unnecessary with the current keys. And touching those is actually more > annoying since it's an unexpected file system operation with real > security implications. Or at least it feels that way... My test server run only a few zones and only one with dnssec-policy but I have a production serveur with more than 70 000 zones. This issue would generate avec very high IO load on such server. > Is this expected or am I doing something wrong? And if this is > expected, then why? Good question. -- Laurent Frigault | Free.org - BookMyName.com - ONLINE SAS - Registar ID 74 -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
