Restore the keys from backups and let named MANAGE the removal of the
old keys. People really need to stop being impatient with DNSSEC key
management. It is a SLOW process as there are interactions with the
parent zone that need to be co-ordinated and WAIT TIMES that need to
be observed. Named has those rules encoded into it.
Mark
> On 16 Oct 2024, at 11:54, Arnold DECHAMPS <arn...@adechamps.net> wrote:
>
> Hello everyone,
>
> I made a algo rollover in DNSSEC from algo 8 to algo 13.
>
> Software version : 9.18.28-1~deb12u2-Debian
>
> My zone configuration refers to policies :
>
> ==========================================================================
>
> dnssec-policy "algo8" {
> keys {
> ksk lifetime unlimited algorithm rsasha256;
> zsk lifetime 30d algorithm rsasha256;
> };
> max-zone-ttl 1d;
> signatures-validity 14d;
> signatures-refresh 7d;
> };
>
> dnssec-policy "algo13" {
> keys {
> ksk lifetime unlimited algorithm 13;
> zsk lifetime 30d algorithm 13;
> };
> max-zone-ttl 1d;
> signatures-validity 14d;
> signatures-refresh 7d;
> };
>
> dnssec-policy "algo8-13" {
> keys {
> ksk lifetime unlimited algorithm rsasha256; // Old Algo
> zsk lifetime 30d algorithm rsasha256; // Old Algo
> ksk lifetime unlimited algorithm 13; // New Algo
> zsk lifetime 30d algorithm 13; // New Algo
> };
> max-zone-ttl 1d;
> signatures-validity 14d;
> signatures-refresh 7d;
> };
>
> ==========================================================================
>
> The zone config looks like :
>
> ==========================================================================
>
> zone "somedomain.com"{
> ...
> inline-signing yes;
> dnssec-policy "algo13";
> key-directory "/etc/bind/keys";
> };
>
> ==========================================================================
>
>
> The initial idea was to switch the config of the domains that had to be
> rolled over to algo8-13 and temporarily have both keys in the zone waiting
> for the TTL of the DS records to expire. This was successful and algo 13 is
> now in use. I then switched to the algo13 policy and deleted the algo 8 keys
> of my keys directory.
>
> At this point, Bind sees that all the algo 8 keys are expired. It also see's
> that it can't find the files anymore (which prevents me from using
> dnssec-settime as far as I know).
>
> ==========================================================================
> dns_dnssec_keylistfromrdataset: error reading
> /etc/bind/keys/Ksomedomain.com.+008+16000.private: file not found
> dns_dnssec_findzonekeys2: error reading
> /etc/bind/keys/Ksomedomain.com.+008+16000.private: file not found
> ==========================================================================
>
> It stills publishes the DNSKEY in the signed zone. I would like to ideally
> correct this by forcing bind to discard the old keys. Is this possible to do?
> And if yes, how?
>
> Regards,
>
> Arnold
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
