Problems with the Deletion of Retired Keys in DNSSEC
Matthijs Mekking
matthijs at isc.org
Fri Nov 8 15:15:44 UTC 2024
Hi,
To automate this you need to configure parental-agents.
From 9.20.0 you can use the new 'checkds' option to automatically
populate parental-agents.
Best regards,
Matthijs
On 11/8/24 12:23, Τάσος Λολότσης wrote:
> Hello
>
> Thank you very much for the reply. I thought this was happening
> automatically because I used |dnssec-policy|. If it’s not happening, is
> there something else that can help me automate this process by
> withdrawing the key ?
>
> On Fri, Nov 8, 2024 at 12:58 AM Crist Clark <cjc+bind-users at pumpky.net
> <mailto:cjc%2Bbind-users at pumpky.net>> wrote:
>
> You need to tell BIND the DS is gone from the parent. See the usage for,
>
> rndc dnssec -checkds withdrawn <zone>
>
> On Thu, Nov 7, 2024 at 12:04 PM Τάσος Λολότσης <tlolotsis at gmail.com
> <mailto:tlolotsis at gmail.com>> wrote:
>
> Hello all,
>
> I’m currently facing an issue with DNSSEC key management in
> BIND and would appreciate any insights or experiences you might
> have.
>
> I have configured a DNSSEC policy for my domain with the
> following settings:
>
> keys {
> csk key-directory lifetime P365D algorithm ecdsa256;
> };
>
> // Key timings
> dnskey-ttl PT1H;
> publish-safety PT1H;
> retire-safety PT1H;
> purge-keys P30D;
>
> // Signature timings
> signatures-refresh P5D;
> signatures-validity P14D;
> signatures-validity-dnskey P14D;
>
> // Zone parameters
> max-zone-ttl P1D;
> zone-propagation-delay PT5M;
> parent-ds-ttl P1D;
> parent-propagation-delay PT1H;
>
> After running the command dnssec -status, I see the following
> key status for
>
> Key ID: 1002 (ECDSAP256SHA256):
>
> Published: Yes - since Wed Oct 4 14:01:53 2023
> Key Signing: Yes - since Wed Oct 4 14:01:53 2023
> Zone Signing: No
> Key is Retired: Will be removed on Sun Oct 13 15:06:53 2024
>
> Goal: Hidden
> DNSKEY: Omnipresent
> DS: Unretentive
> Zone RRSIG: Hidden
> Key RRSIG: Omnipresent
>
> Also this is the details status of the Key
>
> Algorithm: 13
> Length: 256
> Lifetime: 31536000
> Successor: 39133
> KSK: yes
> ZSK: yes
> Generated: 20231004120153 (Wed Oct 4 14:01:53 2023)
> Published: 20231004120153 (Wed Oct 4 14:01:53 2023)
> Active: 20231004120153 (Wed Oct 4 14:01:53 2023)
> Retired: 20241003120153 (Thu Oct 3 14:01:53 2024)
> Removed: 20241013130653 (Sun Oct 13 15:06:53 2024)
> DSPublish: 20231120105349 (Mon Nov 20 11:53:49 2023)
> PublishCDS: 20231005130653 (Thu Oct 5 15:06:53 2023)
> DNSKEYChange: 20231004140653 (Wed Oct 4 16:06:53 2023)
> ZRRSIGChange: 20241013130653 (Sun Oct 13 15:06:53 2024)
> KRRSIGChange: 20231004140653 (Wed Oct 4 16:06:53 2023)
> DSChange: 20241003120153 (Thu Oct 3 14:01:53 2024)
> DNSKEYState: omnipresent
> ZRRSIGState: hidden
> KRRSIGState: omnipresent
> DSState: unretentive
> GoalState: hidden
> I am using the DNSSEC policy settings as shown above, but it
> appears that BIND is not automatically removing the key as
> expected.
>
> The key still seems to be in use, and it has not been removed
> from the system despite reaching its retirement and removal dates.
>
> Has anyone else experienced similar issues with DNSSEC policies
> in BIND?
>
> If so, how did you resolve it? Any advice on troubleshooting or
> correcting this issue would be greatly appreciated.
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users
> <https://lists.isc.org/mailman/listinfo/bind-users> to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/
> <https://www.isc.org/contact/> for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>
> https://lists.isc.org/mailman/listinfo/bind-users
> <https://lists.isc.org/mailman/listinfo/bind-users>
>
>
More information about the bind-users
mailing list