Hi Edwardo,
On 12/22/22 05:01, Edwardo Garcia wrote:
Hi,
I recently upgraded from 9.16 to latest version and changed a zone, ran
verisign test and it said all good, so changed my zones from auto
maintain dnssec to dnssec policy default, what a nightmare, most our
zones vanished few hours later for a day, and it create new keys for
everything, this bug i saw was fixed many versions ago, should it not
see my have keys and re-use them (keys were made a year ago on current
at the time v9.11, we upgrade to 9.16 in July and no issue till these
option name change rubbish. I was warned by colleagues not to do this as
they too say migration nightmares, but I am my own person and now I
regret not listening their advise.
I hope you have read our KB article on dnssec-policy before migrating:
https://kb.isc.org/v1/docs/en/dnssec-key-and-signing-policy
It should list the main pitfalls to save you a lot of hassle (I suspect
you started algorithm rollover immediately when changing to
dnssec-policy default).
If there are any things we should add, I am happy to receive your
suggestions.
Now I think is under control, once identifying the current key set, is
it safe to manually delete all the others keys privates and states,
except the current one, and will any of that DS change again?
Probably, without knowing your current state of things it is hard to
give a more confident answer.
Setting 'purge-keys' inside your 'dnssec-policy' is probably your best
bet for the future. By default, no longer used keys are deleted from
disk after 90 days.
Best regards,
Matthijs
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users