Hi all!
I also know a colleague which was hit by the same issue, causing problems to their zone. Migrating from auto-dnssec to dnssec-policy can lead to operational issues. For example that problem with different algos should be mentioned in https://kb.isc.org/docs/dnssec-key-and-signing-policy Further, I suggest to add something like the following sentence to that article: Changing DNSSEC configuration can lead to unexpected zone changes and should be tested on dedicated test systems before. If you do this on a hidden master, you could also temporarily disable outgoing XFR by configuring 'allow-transfer {"none";};' on that zone to prevent leakage of broken DNSSEC zones. This way you can check the zone after migration and only after successful testing (i.e. using https://dnsviz.net/d/ops.nic.at/analyze/ with advanced options, pointing directly to the hidden master) re-enable outgoing XFR. Regards Klaus Von: bind-users <bind-users-boun...@lists.isc.org> Im Auftrag von Nick Tait via bind-users Gesendet: Donnerstag, 28. Dezember 2023 04:01 An: bind-users@lists.isc.org Betreff: Re: migration from auto-dnssec to dnssec-policy deletes keys immediately On 28 Dec 2023, at 1:05 PM, Adrian Zaugg <lists.isc....@mailgurgler.com<mailto:lists.isc....@mailgurgler.com>> wrote: 2023-12-27 23:51:24: zone myzone.ch/IN (signed): reconfiguring zone keys 2023-12-27 23:51:24: keymgr: retire DNSKEY myzone.ch/ECDSAP256SHA256/14076 (KSK) 2023-12-27 23:51:24: keymgr: retire DNSKEY myzone.ch/ECDSAP256SHA256/3654 (ZSK) 2023-12-27 23:51:24: keymgr: DNSKEY myzone.ch/ED25519/2336 (KSK) created for policy mypolicy 2023-12-27 23:51:24: keymgr: DNSKEY myzone.ch/ED25519/35413 (ZSK) created for policy mypolicy Your DNSSEC policy “mypolicy” specifies a different algorithm (ED25519) to what was previously in effect (ECDSAP256SHA256), which is why Bind generated new keys. If you want Bind to keep the old keys when transitioning to dnssec-policy you should initially specify the same algorithm in your policy. My understanding is that after you’ve transitioned to using dnssec-policy you should be able to change the algorithm and Bind should do a graceful roll-over? Just make sure everything is “omnipresent” in your state files (in the keys directory) first. Nick.
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users