SOA record not signed with new key at key-rollover

Nis Wechselberg enbewe at
Fri Jul 15 11:30:49 UTC 2016


I am curently testing a dnssec setup with the new dnssec-keymgr tool. I
created a test zone with very fast key rollover setings and very short
TTLs. (Configs below)

The automated creation of keys seems to work fine but bind behaves other
than I would have expected.

- Initial deployment looks fine with the current ZSK published and in use.

- At prepublication time the next key is published but not yet used (as

- After rollover time the new key is used to sign the zone EXCEPT the
SOA record. This one is still signed by the old key.

- When post-publication of the old key expires it is removed and the new
key is used for all records.

I am confused becaus of the special treatment of the SOA record. I would
expect a complete switch to the new key. At the moment, cached responses
of the SOA record could not be verified in the timeframe between
deletion of the old key and the next TTL.

Am I missing something?



dnssec-keymgr policy:

zone {
  algorithm RSASHA256;
  directory "/etc/bind/zones/keys";
  coverage 2d;
  keyttl 600;
  roll-period zsk 8h;
  post-publish zsk 2h;
  pre-publish zsk 2h;

bind zone config:

zone "" IN {
  type master;

  file "de/";

  // Allow zone transfers to trusted servers
  allow-transfer {

  // Allow updates with shared key
  update-policy {
    grant morpheus-trinity. zonesub any;
  serial-update-method unixtime;

  // Activate dnssec for this domain
  key-directory "keys";
  auto-dnssec maintain;

More information about the bind-users mailing list