Hi, I recently moved from auto-dnssec to dnssec-policy and after the switch I tried to change a zone from an RSA ZSK/KSK to an ECDSA CSK.
When I changed the dnssec-policy from rsa to ecdsa-csk the old keys immediately got removed which lead to a bogus DNSSEC for the zone. I was expecting a rollover procedure. BIND version is 9.18.12 (Debian Backports). My question is, did I do something wrong? What would have been the right way to do it? I noticed that the DS state is "hidden" before and after the switch of the dnssec-policy but I found no way to change that. Here is config and logs of the change: Old and new policy are: dnssec-policy "rsa" { keys { ksk key-directory lifetime unlimited algorithm rsasha256 2048; zsk key-directory lifetime P60D algorithm rsasha256 1024; }; }; dnssec-policy "ecdsa-csk" { keys { csk key-directory lifetime unlimited algorithm 13; }; }; Zone definition is: zone "sub.my.zone" { type master; file "/etc/bind/dynamic-zones/sub.my.zone/sub.my.zone"; allow-transfer { localhost; ns2; }; key-directory "/etc/bind/dynamic-zones/sub.my.zone"; dnssec-policy "ecdsa-csk"; parental-agents { 127.12.12.13; }; allow-update { key sub.my.zone_api.; }; }; Jun 02 13:26:19 alita named[1001022]: general: notice: zone sub.my.zone/IN/default: checkds: set 1 parentals Jun 02 13:26:19 alita named[1001022]: dnssec: info: zone sub.my.zone/IN/default: reconfiguring zone keys Jun 02 13:26:19 alita named[1001022]: dnssec: info: keymgr: retire DNSKEY sub.my.zone/RSASHA256/54096 (ZSK) Jun 02 13:26:19 alita named[1001022]: dnssec: info: keymgr: retire DNSKEY sub.my.zone/RSASHA256/56781 (ZSK) Jun 02 13:26:19 alita named[1001022]: dnssec: info: keymgr: retire DNSKEY sub.my.zone/RSASHA256/13786 (KSK) Jun 02 13:26:19 alita named[1001022]: dnssec: info: keymgr: DNSKEY sub.my.zone/ECDSAP256SHA256/36745 (CSK) created for policy ecdsa-csk Jun 02 13:26:19 alita named[1001022]: dnssec: info: DNSKEY sub.my.zone/RSASHA256/56781 (ZSK) is now deleted Jun 02 13:26:19 alita named[1001022]: dnssec: info: DNSKEY sub.my.zone/RSASHA256/13786 (KSK) is now deleted Jun 02 13:26:19 alita named[1001022]: dnssec: info: Fetching sub.my.zone/ECDSAP256SHA256/36745 (CSK) from key repository. Jun 02 13:26:19 alita named[1001022]: dnssec: info: DNSKEY sub.my.zone/ECDSAP256SHA256/36745 (CSK) is now published Jun 02 13:26:19 alita named[1001022]: dnssec: info: DNSKEY sub.my.zone/ECDSAP256SHA256/36745 (CSK) is now active Jun 02 13:26:19 alita named[1001022]: dnssec: info: zone sub.my.zone/IN/default: next key event: 02-Jun-2023 13:31:19.338 Jun 02 13:26:19 alita named[1001022]: notify: info: zone sub.my.zone/IN/default: sending notifies (serial 2014014053) DNSSEC status before: dnssec-policy: rsa current time: Fri Jun 2 13:23:54 2023 key: 54096 (RSASHA256), ZSK published: no zone signing: no Key has been removed from the zone - goal: hidden - dnskey: hidden - zone rrsig: unretentive key: 56781 (RSASHA256), ZSK published: yes - since Fri Jun 2 11:15:23 2023 zone signing: yes - since Fri Jun 2 12:20:23 2023 Next rollover scheduled on Tue Aug 1 10:15:23 2023 - goal: omnipresent - dnskey: omnipresent - zone rrsig: rumoured key: 13786 (RSASHA256), KSK published: yes - since Wed Jan 22 22:42:33 2014 key signing: yes - since Wed Jan 22 22:42:33 2014 No rollover scheduled - goal: omnipresent - dnskey: omnipresent - ds: hidden - key rrsig: omnipresent DNSSEC status after: dnssec-policy: ecdsa-csk current time: Fri Jun 2 13:32:23 2023 key: 54096 (RSASHA256), ZSK published: no zone signing: no Key has been removed from the zone - goal: hidden - dnskey: hidden - ds: hidden - zone rrsig: unretentive - key rrsig: hidden key: 56781 (RSASHA256), ZSK published: no zone signing: no Key has been removed from the zone - goal: hidden - dnskey: unretentive - ds: unretentive - zone rrsig: unretentive - key rrsig: unretentive key: 36745 (ECDSAP256SHA256), CSK published: yes - since Fri Jun 2 13:26:19 2023 key signing: yes - since Fri Jun 2 13:26:19 2023 zone signing: yes - since Fri Jun 2 13:26:19 2023 No rollover scheduled - goal: omnipresent - dnskey: rumoured - ds: hidden - zone rrsig: rumoured - key rrsig: rumoured key: 13786 (RSASHA256), KSK published: no key signing: no Key has been removed from the zone - goal: hidden - dnskey: hidden - ds: hidden - zone rrsig: unretentive - key rrsig: hidden Best Regards Sebastian -- 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users