IIRC, Bind needs the key as long as there are signatures in the zone generated by this key. After key deactivation I waited the RRSIG lifetime before deleting them.
regards Klaus Von: bind-users <bind-users-boun...@lists.isc.org> Im Auftrag von egoitz--- via bind-users Gesendet: Montag, 24. Jänner 2022 13:00 An: bind-users@lists.isc.org Betreff: Bind 9, dnssec, and .key .private files physical deletion after the key id becomes deleted from zone (the key becomes outdated) Good morning, I have a DNSSEC "bump in wire" server, which uses "inline-signing yes;" and "auto-dnssec maintain;" for that reason. I do the task of ensuring always are valid keys in the zone with an script that generates them whenever is needed. All fine until here and all working. I have seen, that Bind logs in messages log file sometimes the following error logs : dns_dnssec_keylistfromrdataset: error reading /xxx/xxx/xxx/xx-domain/named.aaa/aaa.xx.+008+41919.private: file not found That "file not found" is due to a rename of ".key" and ".private" files to ".key-OLD" and ".private-OLD". I did the rename, because I have seen that the ZSK key 41919 was set to be deleted (and obviously always renamed after that deletion date) from the zone, so I renamed the ".key" and ".private" files to ".key-OLD" and ".private-OLD". I do this rename, because this way my key checking script differentiates, any needed (in effect) key with the "supposedly" (I say supposedly because I would have said that Bind should not be using nowadays that non finding files for nothing!) non needed keys, in order to check that each zone, has always the needed keys for keeping properly signed by Bind (else it would generate them). As I previously commented, I check with a script the existence of all needed keys for each domain. Obviuosly, it's not the same checking a couple of ZSK or just one ZSK and a KSK (per domain), than them plus all outdated keys that each month become outdated. So, how many time should I wait in order to rename that files?. Should I handle them with another dnssec-______ command instead of renaming?. All seems to be working well but I see these errors and was wondering if I could improve the way of handling outdated keys. I have been taking a look at the source code of Bind (the tag of version I'm using), and I have seen that Bind seems not remove any of that key files when they become outdated. Or does it with some param?. I have not been able to find it. I have been taking a look too the ARM, but still no luck on finding the answers I was trying to. Any help very appreciated, Best regards,
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
