dnssec-signzone, dsset files and deleted KSK's

John Marshall john.marshall at riverwillow.com.au
Fri Aug 3 08:00:38 UTC 2012

On 03/08/2012 09:28, John Marshall wrote:
> The behaviour of the dsset file generation appears to be unaffected by
> the smart signing switch (-S). The generated dsset file includes all
> KSK's found in the key repository (-K) irrespective of any timing
> metadata (e.g. deleted). The dnssec-settime(8) manual says that deleted
> keys may remain in the key repository but the only way to exclude
> deleted KSK's from the dsset file seems to be to remove them from the
> key repository directory.

I have upgraded to BIND 9.9.1-P2 and see the same behaviour there as
well. Unless I am missing something obvious, it seems that the only way
to avoid having "dnssec-signzone -g" for a parent zone pick up stale DS
records from dsset files generated by "dnssec-signzone -S" for the child
zones is to remove deleted KSK's from the (-K) key repository directory
prior to signing the child zones.

John Marshall

More information about the bind-users mailing list