Most likely you have to delete those files manually.
In 9.16.13, a new "dnssec-policy" option is introduced, "purge-keys". By
default the keys are retained for 90 days after their latest usage. So
in that case keys will be cleaned up automatically.
If you run a lower version, or if you set "purge-keys 0;" (disabled),
you have to purge key files manually.
Best regards,
Matthijs
On 05-04-2021 18:27, @lbutlr wrote:
If I do:
cd /etc/named/working/main/
for i in *; do dig $i +dnssec | grep "A 13 2" | awk '{print $1}';done
I see a list of all the domains on the system, so that's good, everything has a
ALG-13 signature.
If I do
for i in *; do dig $i +dnssec | grep "A 7 2" | awk '{print $1}';done
I see a list of a handful of domains that still have ALG-7 signatures. This is
confirmed by a warning in dnsviz.
I don't see any differences in the configurations, and none of the main records
on the registrar list ALG-7 anymore, only ALG-13.
All of the domains are setup with dnssec-policy default.
Thera re still 007 keyholes on the system for ALL domains (unexpected), updated
every hour (expected).
8 -rw-r--r-- 1 bind bind 1.0K Apr 5 06:21 Kkreme.com.+007+01083.key
8 -rw-r--r-- 1 bind bind 587B Apr 5 06:21 Kkreme.com.+007+01083.state
8 -rw--- 1 bind bind 3.3K Apr 5 06:21 Kkreme.com.+007+01083.private
8 -rw-r--r-- 1 bind bind 708B Apr 5 06:21 Kkreme.com.+007+30512.key
8 -rw-r--r-- 1 bind bind 520B Apr 5 06:21 Kkreme.com.+007+30512.state
8 -rw--- 1 bind bind 1.8K Apr 5 06:21 Kkreme.com.+007+30512.private
8 -rw-r--r-- 1 bind bind 399B Apr 5 06:21 Kkreme.com.+013+29597.key
8 -rw-r--r-- 1 bind bind 651B Apr 5 06:21 Kkreme.com.+013+29597.state
8 -rw--- 1 bind bind 215B Apr 5 06:21 Kkreme.com.+013+29597.private
This domain does not show any ALG-7 keys in dig:
# dig kreme.com +dnssec +short
65.121.55.45
A 13 2 3600 20210415161448 20210401155316 29597 kreme.com.
Sea2LPlKGeH/aP1kwONwtuH0Jkp2TVHNb/v9PEOUiVQVzCwKMkg79+K9
bE8yhNQ2vLV4Fxvzk4jknP8Cbq98lQ==
Is there anything I need to do here or not? Will those alg-7 key files continue
to hang around forever? Do I need to do something to get dnsviz and dig +dnssec
to stop reporting the old keys or is that like propagation and it will sort
itself out? I don't see a pattern in the domains that are still showing alg-7
but it is possible they had the DS/registrar info updated later than the other
domains.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users