Hi,
I have tried to reproduce but when I am issuing a rollover it selects
the key I generate previously, as expected.
If you believe this is a genuine bug, please support a bug report:
https://gitlab.isc.org/isc-projects/bind9/-/issues/new?issuable_template=Default
and fill in the steps how to reproduce the issue.
Any logs (preferably debug level 3) would then also be greatly appreciated.
Thanks, best regards,
Matthijs
On 3/26/25 14:51, Nguyen Thi Minh Tam via bind-users wrote:
"Hi, I'm trying version 9.18.31.
According to the post on
https://kb.isc.org/docs/dnssec-key-and-signing-policy
<https://kb.isc.org/docs/dnssec-key-and-signing-policy>, the policy
normally generates keys when they are needed. However, we can generate
the DNSSEC keys ourselves first, and when the policy requires a new key,
it will select the one we created.
There is even an example in that post.
So, I followed that approach. I generated a new key that matches the
policy and placed it in the key directory. However, when it was time to
roll the key, my key was retired, and the policy generated a new one
instead.
Here is my policy:"
dnssec-policy "hosting key" {
dnskey-ttl PT1M;
keys{
ksk key-directory lifetime P1Y algorithm RSASHA256 2048;
zsk key-directory lifetime P30D algorithm RSASHA256 2048;
};
And i run this command to generate the next key:
dnssec-keygen -a 8 -b 2048 -n ZONE -K /data/keys/policy.com/ policy.com
i even tried
dnssec-keygen -k "hosting key" -l /etc/named.conf -K
/data/keys/policy.com/ policy.com
so im pretty sure the new key matches the policy. But still, they all
got retired.
Plz help.
Best regards,
Tam
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
