Hi,
To automate this you need to configure parental-agents.
From 9.20.0 you can use the new 'checkds' option to automatically
populate parental-agents.
Best regards,
Matthijs
On 11/8/24 12:23, Τάσος Λολότσης wrote:
Hello
Thank you very much for the reply. I thought this was happening
automatically because I used |dnssec-policy|. If it’s not happening, is
there something else that can help me automate this process by
withdrawing the key ?
On Fri, Nov 8, 2024 at 12:58 AM Crist Clark <cjc+bind-us...@pumpky.net
<mailto:cjc%2bbind-us...@pumpky.net>> wrote:
You need to tell BIND the DS is gone from the parent. See the usage for,
rndc dnssec -checkds withdrawn <zone>
On Thu, Nov 7, 2024 at 12:04 PM Τάσος Λολότσης <tlolot...@gmail.com
<mailto:tlolot...@gmail.com>> wrote:
Hello all,
I’m currently facing an issue with DNSSEC key management in
BIND and would appreciate any insights or experiences you might
have.
I have configured a DNSSEC policy for my domain with the
following settings:
keys {
csk key-directory lifetime P365D algorithm ecdsa256;
};
// Key timings
dnskey-ttl PT1H;
publish-safety PT1H;
retire-safety PT1H;
purge-keys P30D;
// Signature timings
signatures-refresh P5D;
signatures-validity P14D;
signatures-validity-dnskey P14D;
// Zone parameters
max-zone-ttl P1D;
zone-propagation-delay PT5M;
parent-ds-ttl P1D;
parent-propagation-delay PT1H;
After running the command dnssec -status, I see the following
key status for
Key ID: 1002 (ECDSAP256SHA256):
Published: Yes - since Wed Oct 4 14:01:53 2023
Key Signing: Yes - since Wed Oct 4 14:01:53 2023
Zone Signing: No
Key is Retired: Will be removed on Sun Oct 13 15:06:53 2024
Goal: Hidden
DNSKEY: Omnipresent
DS: Unretentive
Zone RRSIG: Hidden
Key RRSIG: Omnipresent
Also this is the details status of the Key
Algorithm: 13
Length: 256
Lifetime: 31536000
Successor: 39133
KSK: yes
ZSK: yes
Generated: 20231004120153 (Wed Oct 4 14:01:53 2023)
Published: 20231004120153 (Wed Oct 4 14:01:53 2023)
Active: 20231004120153 (Wed Oct 4 14:01:53 2023)
Retired: 20241003120153 (Thu Oct 3 14:01:53 2024)
Removed: 20241013130653 (Sun Oct 13 15:06:53 2024)
DSPublish: 20231120105349 (Mon Nov 20 11:53:49 2023)
PublishCDS: 20231005130653 (Thu Oct 5 15:06:53 2023)
DNSKEYChange: 20231004140653 (Wed Oct 4 16:06:53 2023)
ZRRSIGChange: 20241013130653 (Sun Oct 13 15:06:53 2024)
KRRSIGChange: 20231004140653 (Wed Oct 4 16:06:53 2023)
DSChange: 20241003120153 (Thu Oct 3 14:01:53 2024)
DNSKEYState: omnipresent
ZRRSIGState: hidden
KRRSIGState: omnipresent
DSState: unretentive
GoalState: hidden
I am using the DNSSEC policy settings as shown above, but it
appears that BIND is not automatically removing the key as
expected.
The key still seems to be in use, and it has not been removed
from the system despite reaching its retirement and removal dates.
Has anyone else experienced similar issues with DNSSEC policies
in BIND?
If so, how did you resolve it? Any advice on troubleshooting or
correcting this issue would be greatly appreciated.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users
<https://lists.isc.org/mailman/listinfo/bind-users> to
unsubscribe from this list
ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/
<https://www.isc.org/contact/> for more information.
bind-users mailing list
bind-users@lists.isc.org <mailto:bind-users@lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users
<https://lists.isc.org/mailman/listinfo/bind-users>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
