KASP Inactive/Retired timestamps

[Gregory Shapiro]

After the fantastic ISC DNSSEC webinar series last month, I began using KASP for my DNSSEC signed zones.  I have noticed an odd behavior with regards to the files BIND keeps in keys/ (K*.key, K*.private, and K*.state).  For inactive/retired keys, every BIND restart updates the dates in those files (see below).  This raises two questions:

1. Should the time a key becomes inactive or retired be a fixed point in time rather than changing to the last time BIND restarted for every restart?

2. When, if ever, is it safe to remove the files from the keys directory for inactive/retired keys (i.e., is there a state after Inactive or Retired)?

An example set of changes is shown in the pruned diff below.  Note that for this particular key, the state file shows the following states:

	DNSKEYState: hidden
	ZRRSIGState: hidden
	GoalState: hidden

--- Kgshapiro.net.+008+05640.key        18 May 2020 02:06:14 -0000      1.9
+++ Kgshapiro.net.+008+05640.key        19 May 2020 23:53:06 -0000
-; Inactive: 20200518020420 (Tue May 18 02:04:20 2020)
+; Inactive: 20200519230430 (Tue May 19 23:04:30 2020)

--- Kgshapiro.net.+008+05640.private    18 May 2020 02:06:14 -0000      1.9
+++ Kgshapiro.net.+008+05640.private    19 May 2020 23:53:06 -0000
-Inactive: 20200518020420
+Inactive: 20200519230430

--- Kgshapiro.net.+008+05640.state      18 May 2020 02:06:14 -0000      1.8
+++ Kgshapiro.net.+008+05640.state      19 May 2020 23:53:06 -0000
-Retired: 20200518020420 (Tue May 18 02:04:20 2020)
+Retired: 20200519230430 (Tue May 19 23:04:30 2020)

Thanks!