Re: [DNSSEC] when remove KSK from file system

Wed, 19 Mar 2025 07:30:10 -0700

You can set 'purge-keys' to a value you feel comfortable with. By default it is set to 90 days, so after 90 days the key is completely hidden, it will be removed from disk. 

Best regards,

Matthijs

On 19-03-2025 09:29, adrien sipasseuth wrote:

Hello,

I use Bind 9.20.4, with KASP policy to setup DNSSEC on some zone.
When a KSK are "hidden" and present with "rndc dnssec -status <zone>",
i moved it to an archive repository.

But this generate many logs :
mars 19 09:15:46 xxxxxxxxxxxxxxx named[2378461]: 19-Mar-2025
09:15:46.149 dnssec: error: zone bxxxxxxxxxxxxxxx/IN (signed):
zone_rekey:zone_verifykeys failed: some key files are missing
mars 19 09:15:46 xxxxxxxxxxxxxxx named[2378461]: 19-Mar-2025
09:15:46.149 dnssec: info: zone bxxxxxxxxxxxxxxx/IN (signed):
reconfiguring zone keys
mars 19 09:15:46 xxxxxxxxxxxxxxx named[2378461]: 19-Mar-2025
09:15:46.153 dnssec: debug 1: zone bxxxxxxxxxxxxxxx/IN (signed):
verifykeys: key bxxxxxxxxxxxxxxx/ECDSAP256SHA256/2610 - not available


And this de content state file from this KSK :
; This is the state of key 2610, for bxxxxxxxxxxxxxxx.
Algorithm: 13
Length: 256
Lifetime: 63072000
Successor: 15728
KSK: yes
ZSK: no
Generated: 20240205133815 (Mon Feb  5 14:38:15 2024)
Published: 20240205133815 (Mon Feb  5 14:38:15 2024)
Active: 20240205133815 (Mon Feb  5 14:38:15 2024)
Retired: 20250219143815 (Wed Feb 19 15:38:15 2025)
Removed: 20250220163815 (Thu Feb 20 17:38:15 2025)
DSPublish: 20240911083829 (Wed Sep 11 10:38:29 2024)
DSRemoved: 20250220093816 (Thu Feb 20 10:38:16 2025)
PublishCDS: 20240206144315 (Tue Feb  6 15:43:15 2024)
DSPubCount: 4
DNSKEYChange: 20250221124316 (Fri Feb 21 13:43:16 2025)
KRRSIGChange: 20250221124316 (Fri Feb 21 13:43:16 2025)
DSChange: 20250221113816 (Fri Feb 21 12:38:16 2025)
DNSKEYState: hidden
KRRSIGState: hidden
DSState: hidden
GoalState: hidden

So when can i "archive" / remove from file system my expired KSK ?

Regards,
Adrien SIPASSEUTH

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to