Problems with the Deletion of Retired Keys in DNSSEC

Τάσος Λολότσης tlolotsis at gmail.com
Thu Nov 7 20:03:55 UTC 2024 

Hello all,

 I’m currently facing an issue with DNSSEC key management in BIND and would
appreciate any insights or experiences you might have.

I have configured a DNSSEC policy for my domain with the following settings:

keys {
    csk key-directory lifetime P365D algorithm ecdsa256;
};

// Key timings
dnskey-ttl PT1H;
publish-safety PT1H;
retire-safety PT1H;
purge-keys P30D;

// Signature timings
signatures-refresh P5D;
signatures-validity P14D;
signatures-validity-dnskey P14D;

// Zone parameters
max-zone-ttl P1D;
zone-propagation-delay PT5M;
parent-ds-ttl P1D;
parent-propagation-delay PT1H;

After running the command dnssec -status, I see the following key status
for

Key ID: 1002 (ECDSAP256SHA256):

Published: Yes - since Wed Oct 4 14:01:53 2023
Key Signing: Yes - since Wed Oct 4 14:01:53 2023
Zone Signing: No
Key is Retired: Will be removed on Sun Oct 13 15:06:53 2024

Goal: Hidden
DNSKEY: Omnipresent
DS: Unretentive
Zone RRSIG: Hidden
Key RRSIG: Omnipresent

Also this is the details status of the Key

Algorithm: 13
Length: 256
Lifetime: 31536000
Successor: 39133
KSK: yes
ZSK: yes
Generated: 20231004120153 (Wed Oct 4 14:01:53 2023)
Published: 20231004120153 (Wed Oct 4 14:01:53 2023)
Active: 20231004120153 (Wed Oct 4 14:01:53 2023)
Retired: 20241003120153 (Thu Oct 3 14:01:53 2024)
Removed: 20241013130653 (Sun Oct 13 15:06:53 2024)
DSPublish: 20231120105349 (Mon Nov 20 11:53:49 2023)
PublishCDS: 20231005130653 (Thu Oct 5 15:06:53 2023)
DNSKEYChange: 20231004140653 (Wed Oct 4 16:06:53 2023)
ZRRSIGChange: 20241013130653 (Sun Oct 13 15:06:53 2024)
KRRSIGChange: 20231004140653 (Wed Oct 4 16:06:53 2023)
DSChange: 20241003120153 (Thu Oct 3 14:01:53 2024)
DNSKEYState: omnipresent
ZRRSIGState: hidden
KRRSIGState: omnipresent
DSState: unretentive
GoalState: hidden
I am using the DNSSEC policy settings as shown above, but it appears that
BIND is not automatically removing the key as expected.

The key still seems to be in use, and it has not been removed from the
system despite reaching its retirement and removal dates.

Has anyone else experienced similar issues with DNSSEC policies in BIND?

If so, how did you resolve it? Any advice on troubleshooting or correcting
this issue would be greatly appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20241107/dbf93966/attachment.htm>

More information about the bind-users mailing list