DNSSEC algo rollover fails to delete old keys

Arnold DECHAMPS arnold at adechamps.net
Wed Oct 16 00:54:04 UTC 2024 

Hello everyone,

I made a algo rollover in DNSSEC from algo 8 to algo 13.

Software version : 9.18.28-1~deb12u2-Debian

My zone configuration refers to policies :

==========================================================================

dnssec-policy "algo8" {
     keys {
         ksk lifetime unlimited algorithm rsasha256;
         zsk lifetime 30d algorithm rsasha256;
     };
     max-zone-ttl 1d;
     signatures-validity 14d;
     signatures-refresh 7d;
};

dnssec-policy "algo13" {
     keys {
         ksk lifetime unlimited algorithm 13;
         zsk lifetime 30d algorithm 13;
     };
     max-zone-ttl 1d;
     signatures-validity 14d;
     signatures-refresh 7d;
};

dnssec-policy "algo8-13" {
     keys {
         ksk lifetime unlimited algorithm rsasha256;	// Old Algo
         zsk lifetime 30d algorithm rsasha256;		// Old Algo
	ksk lifetime unlimited algorithm 13;		// New Algo
         zsk lifetime 30d algorithm 13;			// New Algo
     };
     max-zone-ttl 1d;
     signatures-validity 14d;
     signatures-refresh 7d;
};

==========================================================================

The zone config looks like :

==========================================================================

zone "somedomain.com"{
	...
	inline-signing yes;
     	dnssec-policy "algo13";
     	key-directory "/etc/bind/keys";
};

==========================================================================


The initial idea was to switch the config of the domains that had to be rolled over to algo8-13 and temporarily have both keys in the zone waiting for the TTL of the DS records to expire. This was successful and algo 13 is now in use. I then switched to the algo13 policy and deleted the algo 8 keys of my keys directory.

At this point, Bind sees that all the algo 8 keys are expired. It also see's that it can't find the files anymore (which prevents me from using dnssec-settime as far as I know).

==========================================================================
dns_dnssec_keylistfromrdataset: error reading /etc/bind/keys/Ksomedomain.com.+008+16000.private: file not found
dns_dnssec_findzonekeys2: error reading /etc/bind/keys/Ksomedomain.com.+008+16000.private: file not found
==========================================================================

It stills publishes the DNSKEY in the signed zone. I would like to ideally correct this by forcing bind to discard the old keys. Is this possible to do? And if yes, how?

Regards,

Arnold

More information about the bind-users mailing list