DNSSEC Key Rollover Questions

Phil Mayers p.mayers at imperial.ac.uk
Mon Jun 20 09:39:01 UTC 2011

On 06/18/2011 03:48 PM, Spain, Dr. Jeffry A. wrote:
> Assume that bind 9.8.0 is in operation. A zone is configured with
> auto-dnssec maintain, and the zone signing keys K and its successor K’
> are published. Further assume that the activation time for K has passed
> and the zone is properly signed with K. Now suppose that the activation
> time for K’ arrives. Should I expect bind to generate RRSIG records with
> K’ right away?

No. It will only be used for new signatures, so you'll need to wait for 
some old signature to expire (or an update with DDNS) to see RRSIG with 
that key.

 > Now suppose that the deactivation date for K arrives one
> day later. Should I expect bind to remove RRSIG records for K right
> away? Or only after the signature expiration times of those signatures?

The latter, with a minor correction - the RRSIGs will be removed at 
0.75*lifetime (by default) rather than exactly at the expiry time.

If you *delete* the key, it'll immediately strip the old RRSIGs, and it 
is smart enough to replace them with RRSIGs from the new ZSK (or if 
you've erroneously removed the only ZSK, the KSK!).

I strongly advise against removing a key with extant signatures.

n.b. this is all from memory and tests I did under bind 9.7, so might 
either be wrong or have changed, but I don't think so. If you want to be 
sure, it's pretty easy to create a fake local zone and play with "rndc" 
and "dnssec-settime"

More information about the bind-users mailing list