Firstly use dnssec-settime to manage the removal of the keys from the zone.
Named
periodically scans the key directory to see if a key has been marked to change
state.
Note a key should not be remove from a zone while there are still RRSIGs that
where
generated from it in the zone or in caches.
From the dnssec-settime man page
-I date/offset
This option sets the date on which the key is to be retired.
After that date,
the key is still included in the zone, but it is not used to sign
it.
-D date/offset
This option sets the date on which the key is to be deleted.
After that date,
the key is no longer included in the zone. (However, it may
remain in the key
repository.)
The algorithm and key id are encoded into the file name.
The key files record the various dates in the key files with the
times recorded in UTC in ISO format.
e.g.
This key was created published and activated Tue Mar 22 14:17:34 2022.
It has not been inactivated (-I) or been marked for deletion from the zone (-D).
K.+005+12816.key:
; This is a zone-signing key, keyid 12816, for .
; Created: 20220322031734 (Tue Mar 22 14:17:34 2022)
; Publish: 20220322031734 (Tue Mar 22 14:17:34 2022)
; Activate: 20220322031734 (Tue Mar 22 14:17:34 2022)
. IN DNSKEY 256 3 5 AwEAAfOwUKzeKqoZ98OnL3Gr6bbgkRYP7C/e2pj1VRxwnkh+Uy/KJ+l4
n5wcJVe6wQubIdNrwsPuhOOUjvJZwFfoEZAA5XkAs8/u9iWO2zNRswAN
S3twZtaLK/3wMDwagBNW3ELw8UvQiaoDvqNkTVYSUOMVEmmmJYLUCZwb
rncN/nSEJswwgna+s0wrj8QByq/R/y9WN4F46BbgvANirFQZm3izhYLd
HjZVWrVBaynBUnjMrU8JI88KPzz5PhhhCOX/7Keh3Xqj7dWOZn4cYD/3
Yx8qz+x3siJUtXQHp4SViKGIQX8FmEATDFRyL0nWAe+GfahdwaUYOE5x oF9AIKAUJsc=
K.+005+12816.private:
Private-key-format: v1.3
Algorithm: 5 (RSASHA1)
Modulus:
87BQrN4qqhn3w6cvcavptuCRFg/sL97amPVVHHCeSH5TL8on6XifnBwlV7rBC5sh02vCw+6E45SO8lnAV+gRkADleQCzz+72JY7bM1GzAA1Le3Bm1osr/fAwPBqAE1bcQvDxS9CJqgO+o2RNVhJQ4xUSaaYlgtQJnBuudw3+dIQmzDCCdr6zTCuPxAHKr9H/L1Y3gXjoFuC8A2KsVBmbeLOFgt0eNlVatUFrKcFSeMytTwkjzwo/PPk+GGEI5f/sp6HdeqPt1Y5mfhxgP/djHyrP7HeyIlS1dAenhJWIoYhBfwWYQBMMVHIvSdYB74Z9qF3BpRg4TnGgX0AgoBQmxw==
PublicExponent: AQAB
PrivateExponent:
UEQShqYU8ntkLyc5yty/uhNk5pnvB2OFqB0i4B++Gw2088hH9jBbjk19BVUHsf1ymlNjzyqYzedIYE4suye+5SpOa1lOYN6KaBuSWuh9p7Y5VxrSXLdxkY6ULK/j4LrbCReYuwqg1YWvPN1UVdXpm6p8qpzlvR5/XdKGWEOdPR4HqTt22DpxStckrZ52g5vMZ+7/xurfrrw79h5rqauk03haQ0+WHMqoVTrvEXO7Ao2juFnX4gB/c7Qsx8tJvfk74w7H1r/AuaBYHkqMOce0Obpjq3fwqyS0tPElj702pCvdfDtZI2rY1PiUEjPEVtnlbrAw111vOyYwaAPy8RVw2Q==
Prime1:
+mzLu2MYzX7U0dfwSu1J+VMYEeLIk5LDO5sBIdOTcR+i1MpF5gvqTu5/89weNYdSjgInZfgyntc0nZsj2jXCkWyPTKOtngx5KP67rLNtxdY+bD5HE7Ze985JVKwUaahnn6nTzf12lyDjbegVKyW/FL2IuYbZdiQ5Y9PKpYMWFI8=
Prime2:
+R0g5/pd2jZV6Vj//L5rHB4OjyUEUnsdc6qs+vrrfzemTFAKjTjGyayXTYS82R3k5luxej5GNvji/J/Ly6eQnbFKI7dhPbOX2W1wSkhCOLgXPPSoBzQIeu/0XD1XJwhrf3IZt6HPw5NUBBY9yCP+2Tk58qDlOEnCpTNJeMC8Fkk=
Exponent1:
nNeDCgvYvuuOsxbBosvXJtaKHrmg0fx7VluQa/UtRQ6BVzCQcrJHv8PUU5ErQm9MnzBuKIk4ew9iHsvJuqMtBxOs9F0XIgPB5pEUTefa+qtiUTz4Gzp/ZEjI2MUly77zl6Yvx7XVjnXEu1M93tY3RPAoL7prfHjXkNRW+S6Op7U=
Exponent2:
iOibVyLgRbcrDC3fslYso61ZLw6XC4WiMBmTK/SPTMGW4cXzpp2XkusJ1I6pA2JMlNW7+oUTLc8nYNOpu2mCL0hqiKqWBMUZJWPiHNENpAJ4swV6+0p7hqUt1SvZJBiai9Z3j9acSs5DlGNs3Pv7agLreA85KvBOy2AedwDl3hE=
Coefficient:
GCuVIunQ0WTXrXbug5L0Fn16fc28dBe+uHfLoNRix4p33ZPhAjahT6VLA5F7o9suwA98Ppc9IBh82qfJPqlk3v3nBV5GY5K+ivq4Huy4US9t19TqWog+tzmbVTYFzueXnJPzCPHtG7x5ps5PaxD17GDQWaSHK8idOijAPmbSOY4=
Created: 20220322031734
Publish: 20220322031734
Activate: 20220322031734
> On 29 Jul 2023, at 20:13, Axel Rau <axel....@chaos1.de> wrote:
>
> Hi all,
>
> I have several ZSKs in one zone, but only one is being
> used for signing.
> The others seem to be relicts from earlier rollovers.
> I would like to delete the unused DNSKEY RRs via nsupdate,
> but how can I identify a DNSKEY by label ?
>
> The zone has not yet been converted to dnssec-policy but
> uses still auto-dnssec maintain.
>
> Axel
> ---
> PGP-Key: CDE74120 ☀ mobile: +49 160 7568212
> computing @ chaos claudius
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
