You need to tell BIND the DS is gone from the parent. See the usage for,
rndc dnssec -checkds withdrawn <zone>
On Thu, Nov 7, 2024 at 12:04 PM Τάσος Λολότσης <tlolot...@gmail.com> wrote:
> Hello all,
>
> I’m currently facing an issue with DNSSEC key management in BIND and
> would appreciate any insights or experiences you might have.
>
> I have configured a DNSSEC policy for my domain with the following
> settings:
>
> keys {
> csk key-directory lifetime P365D algorithm ecdsa256;
> };
>
> // Key timings
> dnskey-ttl PT1H;
> publish-safety PT1H;
> retire-safety PT1H;
> purge-keys P30D;
>
> // Signature timings
> signatures-refresh P5D;
> signatures-validity P14D;
> signatures-validity-dnskey P14D;
>
> // Zone parameters
> max-zone-ttl P1D;
> zone-propagation-delay PT5M;
> parent-ds-ttl P1D;
> parent-propagation-delay PT1H;
>
> After running the command dnssec -status, I see the following key status
> for
>
> Key ID: 1002 (ECDSAP256SHA256):
>
> Published: Yes - since Wed Oct 4 14:01:53 2023
> Key Signing: Yes - since Wed Oct 4 14:01:53 2023
> Zone Signing: No
> Key is Retired: Will be removed on Sun Oct 13 15:06:53 2024
>
> Goal: Hidden
> DNSKEY: Omnipresent
> DS: Unretentive
> Zone RRSIG: Hidden
> Key RRSIG: Omnipresent
>
> Also this is the details status of the Key
>
> Algorithm: 13
> Length: 256
> Lifetime: 31536000
> Successor: 39133
> KSK: yes
> ZSK: yes
> Generated: 20231004120153 (Wed Oct 4 14:01:53 2023)
> Published: 20231004120153 (Wed Oct 4 14:01:53 2023)
> Active: 20231004120153 (Wed Oct 4 14:01:53 2023)
> Retired: 20241003120153 (Thu Oct 3 14:01:53 2024)
> Removed: 20241013130653 (Sun Oct 13 15:06:53 2024)
> DSPublish: 20231120105349 (Mon Nov 20 11:53:49 2023)
> PublishCDS: 20231005130653 (Thu Oct 5 15:06:53 2023)
> DNSKEYChange: 20231004140653 (Wed Oct 4 16:06:53 2023)
> ZRRSIGChange: 20241013130653 (Sun Oct 13 15:06:53 2024)
> KRRSIGChange: 20231004140653 (Wed Oct 4 16:06:53 2023)
> DSChange: 20241003120153 (Thu Oct 3 14:01:53 2024)
> DNSKEYState: omnipresent
> ZRRSIGState: hidden
> KRRSIGState: omnipresent
> DSState: unretentive
> GoalState: hidden
> I am using the DNSSEC policy settings as shown above, but it appears that
> BIND is not automatically removing the key as expected.
>
> The key still seems to be in use, and it has not been removed from the
> system despite reaching its retirement and removal dates.
>
> Has anyone else experienced similar issues with DNSSEC policies in BIND?
>
> If so, how did you resolve it? Any advice on troubleshooting or correcting
> this issue would be greatly appreciated.
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
