Migration to dnssec-policy removes current ZSK's DNSKEY

Mon, 30 Jan 2023 03:40:43 -0800 

Hello,
A year ago, I migrated a subdomain from auto-dnssec to dnssec-policy according to https://kb.isc.org/docs/dnssec-key-and-signing-policy. 


Everything went well. named set the ZSK's lifetime to 0. I later 
initiated a manual rollover. I also had to set the KSK's DSState 
manually from rumoured to published.


The domain uses this policy:

 dnssec-policy "myway" {
  keys {
   ksk key-directory lifetime unlimited
       algorithm rsasha256 2048;
   zsk key-directory lifetime P60D
       algorithm rsasha256 1024;
  };
 };


When I migrated another domain today, the active ZSK was immediately 
superseded by a new ZSK (same algorithm) and the old ZSK's DNSKEY wasn't 
published. For the time being, I've added an unlimited policy in order 
to keep the current ZSK:


 dnssec-policy "myunlimited" {
  keys {
   ksk key-directory lifetime unlimited
       algorithm rsasha256 2048;
   zsk key-directory lifetime unlimited
       rsasha256 1024;
  };
 };


How can I enable ZSK rollover without immediately loosing the current 
ZSK's DNSKEY?


The current ZSK is old and has these keys in the private file:

 Private-key-format: v1.3
 Created: 20151010091913
 Publish: 20151010091913
 Activate: 20151010091913


With the "myway" policy, named added the keys below when I switched from 
auto-dnssec to dnssec-policy.


 Inactive: 20151209091913
 Delete: 20151219102413

Why does named add new keys with past dates?


Another problem: Even after running "rndc dnssec -checkds published 
example.com" the KSK stays in DSState rumoured. I've got the following 
messages in the log:


 keymgr: checkds DS for key example.com/RSASHA256/12345
 seen published at Mon Jan 30 10:58:16 2023
 zone example.com/IN (signed): reconfiguring zone keys


I have Bind 9.18.10 on Fedora 37. A year ago I had Bind 9.16.23 on 
Fedora 35.


Kind regards,
Andreas

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users














    











					Reply via email to