Dear all, I have tried some faulty ways to setup dnssec for some of my domains about a month ago. This resulted in the creation of several ZSK, KSK and CSK dnssec keys (and files) until I got a configuration that actually was working as it should. Due to proper ignorance and non-knowledge I deleted those files somewhen in between while trying.
After a while I got a correct working setup (using the default *facepalm*). Although I have then successfully managed to get the correct key setup into the DS with the root tld zones, I have mysterious DNSKEY entries on my bind installations for these particular domains that I do not seem to get rid of. I do not have the initially created key files anymore, they are nowhere referenced in bind configuration of the zones or anywhere in bind. I even deleted the /var/lib/bind/ directory contents of the master and secondaries, restarted all bind binaries. They are still there. And yes, I shutdown all binds, deleted the files, restarted them again. Still somewhere existing. How do I get these obsolete entries removed? The working (and now current) setup is simply the default ... dnssec-policy default; key-directory "/etc/bind/zones/master/floppy-friends/rosen-roth.com-keys/"; inline-signing yes; serial-update-method increment; }; in the zone directives for the master bind. root@theater:/etc/bind# dig rosen-roth.com. DNSKEY ; <<>> DiG 9.20.10-1+ubuntu24.04.1+deb.sury.org+1-Ubuntu <<>> rosen-roth.com. DNSKEY ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37442 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: a797dbfa0e86e3030100000068556a2fa1cfa1f6c89a33aa (good) ;; QUESTION SECTION: ;rosen-roth.com. IN DNSKEY ;; ANSWER SECTION: rosen-roth.com. 3600 IN DNSKEY 257 3 13 CtkLyrsB5YZ7Q8xXW8xNrLrXXbVt9FlQhZN4YXtAIGZ7XhIgxca3dn5s fowG0GVA5uVU3VKmZDxg3uYOWc1KVg== rosen-roth.com. 3600 IN DNSKEY 257 3 13 U04Pkg5Y4PVyVmGf1+d2nsjsCncm8uvVZ55Ci/UsOLVFJboaYw5UWMb4 LWNuBBNv/TDnlJT6fbhN+LockkW+iA== root@theater:/etc/bind# rndc dnssec -status rosen-roth.com dnssec-policy: default current time: Fri Jun 20 16:03:48 2025 key: 30519 (ECDSAP256SHA256), CSK published: yes - since Mon Jun 2 21:20:55 2025 key signing: yes - since Mon Jun 2 21:20:55 2025 zone signing: yes - since Mon Jun 2 21:20:55 2025 No rollover scheduled - goal: omnipresent - dnskey: omnipresent - ds: omnipresent - zone rrsig: omnipresent - key rrsig: omnipresent root@theater:/etc/bind# l zones/master/floppy-friends/rosen-roth.com-keys/ total 20 drwxrws--- 2 bind bind 4096 Jun 4 23:25 ./ drwxrwsr-x 20 root bind 4096 Jun 20 15:54 ../ -rw-r--r-- 1 bind bind 409 Jun 4 23:25 Krosen-roth.com.+013+30519.key -rw------- 1 bind bind 241 Jun 4 23:25 Krosen-roth.com.+013+30519.private -rw-r--r-- 1 bind bind 727 Jun 4 23:25 Krosen-roth.com.+013+30519.state https://dnsviz.net/d/rosen-roth.com/analyze/ shows that the key id 30519 is used as it should. But the other key 46018 exists there, signed by 30519 apparently. The 46018 is expired now, which is probably good, but how the h* do I get this thing "deleted"? I do not know where this "key" is "hiding"... I have 2 more domains, one even suffers from 4 existing keys (3 phantom). Btw, I did NOT submit those "obsolete" keys for entry in the corresponding .tld zone DS lists... Any pointers would be highly appreciated. root@theater:/etc/bind# named -version BIND 9.20.10-1+ubuntu24.04.1+deb.sury.org+1-Ubuntu (Extended Support Version) <id:> (existed with the 9.20.9.... as well) Florian -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
