Problems with the Deletion of Retired Keys in DNSSEC
Τάσος Λολότσης
tlolotsis at gmail.com
Fri Nov 8 11:23:28 UTC 2024
Hello
Thank you very much for the reply. I thought this was happening
automatically because I used dnssec-policy. If it’s not happening, is there
something else that can help me automate this process by withdrawing the
key ?
On Fri, Nov 8, 2024 at 12:58 AM Crist Clark <cjc+bind-users at pumpky.net>
wrote:
> You need to tell BIND the DS is gone from the parent. See the usage for,
>
> rndc dnssec -checkds withdrawn <zone>
>
> On Thu, Nov 7, 2024 at 12:04 PM Τάσος Λολότσης <tlolotsis at gmail.com>
> wrote:
>
>> Hello all,
>>
>> I’m currently facing an issue with DNSSEC key management in BIND and
>> would appreciate any insights or experiences you might have.
>>
>> I have configured a DNSSEC policy for my domain with the following
>> settings:
>>
>> keys {
>> csk key-directory lifetime P365D algorithm ecdsa256;
>> };
>>
>> // Key timings
>> dnskey-ttl PT1H;
>> publish-safety PT1H;
>> retire-safety PT1H;
>> purge-keys P30D;
>>
>> // Signature timings
>> signatures-refresh P5D;
>> signatures-validity P14D;
>> signatures-validity-dnskey P14D;
>>
>> // Zone parameters
>> max-zone-ttl P1D;
>> zone-propagation-delay PT5M;
>> parent-ds-ttl P1D;
>> parent-propagation-delay PT1H;
>>
>> After running the command dnssec -status, I see the following key status
>> for
>>
>> Key ID: 1002 (ECDSAP256SHA256):
>>
>> Published: Yes - since Wed Oct 4 14:01:53 2023
>> Key Signing: Yes - since Wed Oct 4 14:01:53 2023
>> Zone Signing: No
>> Key is Retired: Will be removed on Sun Oct 13 15:06:53 2024
>>
>> Goal: Hidden
>> DNSKEY: Omnipresent
>> DS: Unretentive
>> Zone RRSIG: Hidden
>> Key RRSIG: Omnipresent
>>
>> Also this is the details status of the Key
>>
>> Algorithm: 13
>> Length: 256
>> Lifetime: 31536000
>> Successor: 39133
>> KSK: yes
>> ZSK: yes
>> Generated: 20231004120153 (Wed Oct 4 14:01:53 2023)
>> Published: 20231004120153 (Wed Oct 4 14:01:53 2023)
>> Active: 20231004120153 (Wed Oct 4 14:01:53 2023)
>> Retired: 20241003120153 (Thu Oct 3 14:01:53 2024)
>> Removed: 20241013130653 (Sun Oct 13 15:06:53 2024)
>> DSPublish: 20231120105349 (Mon Nov 20 11:53:49 2023)
>> PublishCDS: 20231005130653 (Thu Oct 5 15:06:53 2023)
>> DNSKEYChange: 20231004140653 (Wed Oct 4 16:06:53 2023)
>> ZRRSIGChange: 20241013130653 (Sun Oct 13 15:06:53 2024)
>> KRRSIGChange: 20231004140653 (Wed Oct 4 16:06:53 2023)
>> DSChange: 20241003120153 (Thu Oct 3 14:01:53 2024)
>> DNSKEYState: omnipresent
>> ZRRSIGState: hidden
>> KRRSIGState: omnipresent
>> DSState: unretentive
>> GoalState: hidden
>> I am using the DNSSEC policy settings as shown above, but it appears that
>> BIND is not automatically removing the key as expected.
>>
>> The key still seems to be in use, and it has not been removed from the
>> system despite reaching its retirement and removal dates.
>>
>> Has anyone else experienced similar issues with DNSSEC policies in BIND?
>>
>> If so, how did you resolve it? Any advice on troubleshooting or
>> correcting this issue would be greatly appreciated.
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>>
>> ISC funds the development of this software with paid support
>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>> information.
>>
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20241108/909f5309/attachment-0001.htm>
More information about the bind-users
mailing list