auto-dnssec maintain and DNSKEY removal

Mathew Ian Eis Mathew.Eis at
Tue Jul 5 22:30:12 UTC 2016

Thanks for the clarification.

In terms of config options, I assume we are talking about the following:
dnssec-loadkeys-interval (with a default of 60 minutes)
sig-validity-interval (with a default of 30 days)


A new key should be published for at least [sig-validity-interval] before deletion of the old key to allow for sufficient time for the signatures to roll over to the newer key. Presumably anything less may cause a potential extended use of the old key (beyond expiration and possibly even deletion times).

As far as removing the underlying key file, it sounds like the best practice would be to wait until the key has been removed from DNS (after deletion time, but possibly later if other configs are not sane) - plus waiting an additional dnssec-loadkeys-interval before finally removing the underlying file.

With both of the above in place, auto-dnssec maintain should do its thing and not hang onto zombie keys anymore.

Does all of that sound right?

Thanks again,

-Mathew Eis

From: Tony Finch <dot at>
Date: Tuesday, July 5, 2016 at 10:48 AM
To: Mathew Eis <Mathew.Eis at>, "bind-users at" <bind-users at>
Subject: Re: auto-dnssec maintain and DNSKEY removal

Mathew Ian Eis <Mathew.Eis at> wrote:
> > Are you allowing enough time for named to go through a zone key maintenance cycle? (which is hourly if I remember correctly)
> I’m not sure, it sounds like perhaps not always? You’ve mentioned a “zone
> key maintenance cycle” of an hour, and the docs also casually mention
> that “by default, this [key] rollover completes in 30 days” [1].

These are two separate things.

The zone key maintenance timer controls when named re-examines a zone's keys (checks for changes to the files, loads new keys, etc.) I haven't checked this myself in detail, but named can get confused and upset if a key file disappears while named thinks the key is still in use, so I suspect it might go wrong if the file is deleted after the key deletion time but before the zone key timer triggers.

The rollover time is related to the signature lifetime - you have to stop signing with a key, allow a month for the signatures to be replaced, then delete the key, and you specify all this with dnssec-settimes, and check it is sane with dnssec-coverage. (Which I am sure you know but I wanted to avoid confusion.)

> How long after deletion time is it safe to actually remove the underlying
> key files, if it isn’t the deletion time itself?

You should probably augment your key file deletion script to verify that the key has in fact gone from the zone - if you add suitable warning diagnostics it will probably reveal what is actually going wrong, more reliably than my guesses!

f.anthony.n.finch  <dot at>  -  I xn--zr8h punycode

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list