DNSSEC Key Rollover Questions
p.mayers at imperial.ac.uk
Mon Jun 20 09:39:01 UTC 2011
On 06/18/2011 03:48 PM, Spain, Dr. Jeffry A. wrote:
> Assume that bind 9.8.0 is in operation. A zone is configured with
> auto-dnssec maintain, and the zone signing keys K and its successor K’
> are published. Further assume that the activation time for K has passed
> and the zone is properly signed with K. Now suppose that the activation
> time for K’ arrives. Should I expect bind to generate RRSIG records with
> K’ right away?
No. It will only be used for new signatures, so you'll need to wait for
some old signature to expire (or an update with DDNS) to see RRSIG with
> Now suppose that the deactivation date for K arrives one
> day later. Should I expect bind to remove RRSIG records for K right
> away? Or only after the signature expiration times of those signatures?
The latter, with a minor correction - the RRSIGs will be removed at
0.75*lifetime (by default) rather than exactly at the expiry time.
If you *delete* the key, it'll immediately strip the old RRSIGs, and it
is smart enough to replace them with RRSIGs from the new ZSK (or if
you've erroneously removed the only ZSK, the KSK!).
I strongly advise against removing a key with extant signatures.
n.b. this is all from memory and tests I did under bind 9.7, so might
either be wrong or have changed, but I don't think so. If you want to be
sure, it's pretty easy to create a fake local zone and play with "rndc"
More information about the bind-users