Hello, I use Bind 9.20.4, with KASP policy to setup DNSSEC on some zone. When a KSK are "hidden" and present with "rndc dnssec -status <zone>", i moved it to an archive repository.
But this generate many logs : mars 19 09:15:46 xxxxxxxxxxxxxxx named[2378461]: 19-Mar-2025 09:15:46.149 dnssec: error: zone bxxxxxxxxxxxxxxx/IN (signed): zone_rekey:zone_verifykeys failed: some key files are missing mars 19 09:15:46 xxxxxxxxxxxxxxx named[2378461]: 19-Mar-2025 09:15:46.149 dnssec: info: zone bxxxxxxxxxxxxxxx/IN (signed): reconfiguring zone keys mars 19 09:15:46 xxxxxxxxxxxxxxx named[2378461]: 19-Mar-2025 09:15:46.153 dnssec: debug 1: zone bxxxxxxxxxxxxxxx/IN (signed): verifykeys: key bxxxxxxxxxxxxxxx/ECDSAP256SHA256/2610 - not available And this de content state file from this KSK : ; This is the state of key 2610, for bxxxxxxxxxxxxxxx. Algorithm: 13 Length: 256 Lifetime: 63072000 Successor: 15728 KSK: yes ZSK: no Generated: 20240205133815 (Mon Feb 5 14:38:15 2024) Published: 20240205133815 (Mon Feb 5 14:38:15 2024) Active: 20240205133815 (Mon Feb 5 14:38:15 2024) Retired: 20250219143815 (Wed Feb 19 15:38:15 2025) Removed: 20250220163815 (Thu Feb 20 17:38:15 2025) DSPublish: 20240911083829 (Wed Sep 11 10:38:29 2024) DSRemoved: 20250220093816 (Thu Feb 20 10:38:16 2025) PublishCDS: 20240206144315 (Tue Feb 6 15:43:15 2024) DSPubCount: 4 DNSKEYChange: 20250221124316 (Fri Feb 21 13:43:16 2025) KRRSIGChange: 20250221124316 (Fri Feb 21 13:43:16 2025) DSChange: 20250221113816 (Fri Feb 21 12:38:16 2025) DNSKEYState: hidden KRRSIGState: hidden DSState: hidden GoalState: hidden So when can i "archive" / remove from file system my expired KSK ? Regards, Adrien SIPASSEUTH -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
