auto-dnssec maintain and DNSKEY removal

Mathew Ian Eis Mathew.Eis at nau.edu
Tue Jul 5 16:20:44 UTC 2016


> How promptly are you deleting the key files?

Any time >= deletion time, varying… we think this could explain why only some of the DNSKEYs are becoming zombies, but not all.

> Are you allowing enough time for named to go through a zone key maintenance cycle? (which is hourly if I remember correctly)

I’m not sure, it sounds like perhaps not always? You’ve mentioned a “zone key maintenance cycle” of an hour, and the docs also casually mention that “by default, this [key] rollover completes in 30 days” [1]. 

How long after deletion time is it safe to actually remove the underlying key files, if it isn’t the deletion time itself?

-Mathew Eis

[1] ftp://ftp.isc.org/isc/bind/9.8.0-P4/doc/arm/Bv9ARM.ch04.html

-----Original Message-----
From: Tony Finch <dot at dotat.at>
Date: Monday, July 4, 2016 at 8:08 AM
To: Mathew Eis <Mathew.Eis at nau.edu>
Cc: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
Subject: Re: auto-dnssec maintain and DNSKEY removal

Mathew Ian Eis <Mathew.Eis at nau.edu> wrote:
>
> We think that in some cases, named may be choosing to use a key past the
> removal date (as in [2]), while our file maintenance process removes the
> keys as per their deletion date – after which named no longer has the
> necessary metadata to determine whether or not to remove the DNSKEY from
> the zone.

How promptly are you deleting the key files? Are you allowing enough time
for named to go through a zone key maintenance cycle? (which is hourly if
I remember correctly)

> Lastly, so long as a zone is properly signed with a different key, are
> there any concerns with manually removing the zombie DNSKEY records via
> an update even while auto-dnssec maintain is enabled?

I believe that should work.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
North Rockall: Westerly or northwesterly 3 or 4, increasing 5 at times.
Moderate. Showers. Good.



More information about the bind-users mailing list