Hello,
A year ago, I migrated a subdomain from auto-dnssec to dnssec-policy
according to https://kb.isc.org/docs/dnssec-key-and-signing-policy.
Everything went well. named set the ZSK's lifetime to 0. I later
initiated a manual rollover. I also had to set the KSK's DSState
manually from rumoured to published.
The domain uses this policy:
dnssec-policy "myway" {
keys {
ksk key-directory lifetime unlimited
algorithm rsasha256 2048;
zsk key-directory lifetime P60D
algorithm rsasha256 1024;
};
};
When I migrated another domain today, the active ZSK was immediately
superseded by a new ZSK (same algorithm) and the old ZSK's DNSKEY wasn't
published. For the time being, I've added an unlimited policy in order
to keep the current ZSK:
dnssec-policy "myunlimited" {
keys {
ksk key-directory lifetime unlimited
algorithm rsasha256 2048;
zsk key-directory lifetime unlimited
rsasha256 1024;
};
};
How can I enable ZSK rollover without immediately loosing the current
ZSK's DNSKEY?
The current ZSK is old and has these keys in the private file:
Private-key-format: v1.3
Created: 20151010091913
Publish: 20151010091913
Activate: 20151010091913
With the "myway" policy, named added the keys below when I switched from
auto-dnssec to dnssec-policy.
Inactive: 20151209091913
Delete: 20151219102413
Why does named add new keys with past dates?
Another problem: Even after running "rndc dnssec -checkds published
example.com" the KSK stays in DSState rumoured. I've got the following
messages in the log:
keymgr: checkds DS for key example.com/RSASHA256/12345
seen published at Mon Jan 30 10:58:16 2023
zone example.com/IN (signed): reconfiguring zone keys
I have Bind 9.18.10 on Fedora 37. A year ago I had Bind 9.16.23 on
Fedora 35.
Kind regards,
Andreas
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users