Hi Nick Not changing the key algo does help indeed when introducing dnssec-policy, see the log below. Thank you very much for pointing this out.
But I do not understand why BIND deletes valid and published keys, just because there should be another algo used. Couldn't this be done in a smooth key rollover process aswell? Maybe someone with more insights than I have, could explain this behaviour. Thanks! Best regards, Adrian. Log of successful change from auto-dnssec to dnssec-policy (using the same algo): 2023-12-28 11:53:00: zone myzone.ch/IN (signed): generated salt: [...] 2023-12-28 11:53:00: zone myzone.ch/IN (signed): checkds: set 4 parentals 2023-12-28 11:53:01: zone myzone.ch/IN (signed): zone_addnsec3chain(1,CREATE, 32,[...]) 2023-12-28 11:53:01: zone myzone.ch/IN (signed): reconfiguring zone keys 2023-12-28 11:53:01: keymgr: DNSKEY myzone.ch/ECDSAP256SHA256/50817 (ZSK) created for policy mypolicy_ecdsa 2023-12-28 11:53:01: Permissions on the file /var/lib/bind/keys/Kmyzone.ch. +013+61287.private have changed from 0640 to 0600 as a result of this operation. 2023-12-28 11:53:01: Permissions on the file /var/lib/bind/keys/Kmyzone.ch. +013+38348.private have changed from 0640 to 0600 as a result of this operation. 2023-12-28 11:53:01: Fetching myzone.ch/ECDSAP256SHA256/50817 (ZSK) from key repository. 2023-12-28 11:53:01: Key myzone.ch/ECDSAP256SHA256/50817: Delaying activation to match the DNSKEY TTL (86400). 2023-12-28 11:53:01: DNSKEY myzone.ch/ECDSAP256SHA256/50817 (ZSK) is now published 2023-12-28 11:53:01: DNSKEY myzone.ch/ECDSAP256SHA256/50817 (ZSK) is now active 2023-12-28 11:53:01: CDS for key myzone.ch/ECDSAP256SHA256/61287 is now published 2023-12-28 11:53:01: CDNSKEY for key myzone.ch/ECDSAP256SHA256/61287 is now published 2023-12-28 11:53:01: zone myzone.ch/IN (signed): next key event: 28-Dec-2023 12:53:01.176 2023-12-28 11:53:01: zone myzone.ch/IN (signed): sending notifies (serial 2021010692)
signature.asc
Description: This is a digitally signed message part.
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users