Hello everyone,
I made a algo rollover in DNSSEC from algo 8 to algo 13.
Software version : 9.18.28-1~deb12u2-Debian
My zone configuration refers to policies :
==========================================================================
dnssec-policy "algo8" {
keys {
ksk lifetime unlimited algorithm rsasha256;
zsk lifetime 30d algorithm rsasha256;
};
max-zone-ttl 1d;
signatures-validity 14d;
signatures-refresh 7d;
};
dnssec-policy "algo13" {
keys {
ksk lifetime unlimited algorithm 13;
zsk lifetime 30d algorithm 13;
};
max-zone-ttl 1d;
signatures-validity 14d;
signatures-refresh 7d;
};
dnssec-policy "algo8-13" {
keys {
ksk lifetime unlimited algorithm rsasha256; // Old Algo
zsk lifetime 30d algorithm rsasha256; // Old Algo
ksk lifetime unlimited algorithm 13; // New Algo
zsk lifetime 30d algorithm 13; // New Algo
};
max-zone-ttl 1d;
signatures-validity 14d;
signatures-refresh 7d;
};
==========================================================================
The zone config looks like :
==========================================================================
zone "somedomain.com"{
...
inline-signing yes;
dnssec-policy "algo13";
key-directory "/etc/bind/keys";
};
==========================================================================
The initial idea was to switch the config of the domains that had to be rolled
over to algo8-13 and temporarily have both keys in the zone waiting for the TTL
of the DS records to expire. This was successful and algo 13 is now in use. I
then switched to the algo13 policy and deleted the algo 8 keys of my keys
directory.
At this point, Bind sees that all the algo 8 keys are expired. It also see's
that it can't find the files anymore (which prevents me from using
dnssec-settime as far as I know).
==========================================================================
dns_dnssec_keylistfromrdataset: error reading
/etc/bind/keys/Ksomedomain.com.+008+16000.private: file not found
dns_dnssec_findzonekeys2: error reading
/etc/bind/keys/Ksomedomain.com.+008+16000.private: file not found
==========================================================================
It stills publishes the DNSKEY in the signed zone. I would like to ideally
correct this by forcing bind to discard the old keys. Is this possible to do?
And if yes, how?
Regards,
Arnold
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
