DNSSEC algo rollover fails to delete old keys

Wed Oct 16 01:20:57 UTC 2024

Restore the keys from backups and let named MANAGE the removal of the
old keys.  People really need to stop being impatient with DNSSEC key
management.  It is a SLOW process as there are interactions with the
parent zone that need to be co-ordinated and WAIT TIMES that need to
be observed.  Named has those rules encoded into it.

Mark

> On 16 Oct 2024, at 11:54, Arnold DECHAMPS <arnold at adechamps.net> wrote:
> 
> Hello everyone,
> 
> I made a algo rollover in DNSSEC from algo 8 to algo 13.
> 
> Software version : 9.18.28-1~deb12u2-Debian
> 
> My zone configuration refers to policies :
> 
> ==========================================================================
> 
> dnssec-policy "algo8" {
>    keys {
>        ksk lifetime unlimited algorithm rsasha256;
>        zsk lifetime 30d algorithm rsasha256;
>    };
>    max-zone-ttl 1d;
>    signatures-validity 14d;
>    signatures-refresh 7d;
> };
> 
> dnssec-policy "algo13" {
>    keys {
>        ksk lifetime unlimited algorithm 13;
>        zsk lifetime 30d algorithm 13;
>    };
>    max-zone-ttl 1d;
>    signatures-validity 14d;
>    signatures-refresh 7d;
> };
> 
> dnssec-policy "algo8-13" {
>    keys {
>        ksk lifetime unlimited algorithm rsasha256; // Old Algo
>        zsk lifetime 30d algorithm rsasha256; // Old Algo
> ksk lifetime unlimited algorithm 13; // New Algo
>        zsk lifetime 30d algorithm 13; // New Algo
>    };
>    max-zone-ttl 1d;
>    signatures-validity 14d;
>    signatures-refresh 7d;
> };
> 
> ==========================================================================
> 
> The zone config looks like :
> 
> ==========================================================================
> 
> zone "somedomain.com"{
> ...
> inline-signing yes;
>     dnssec-policy "algo13";
>     key-directory "/etc/bind/keys";
> };
> 
> ==========================================================================
> 
> 
> The initial idea was to switch the config of the domains that had to be rolled over to algo8-13 and temporarily have both keys in the zone waiting for the TTL of the DS records to expire. This was successful and algo 13 is now in use. I then switched to the algo13 policy and deleted the algo 8 keys of my keys directory.
> 
> At this point, Bind sees that all the algo 8 keys are expired. It also see's that it can't find the files anymore (which prevents me from using dnssec-settime as far as I know).
> 
> ==========================================================================
> dns_dnssec_keylistfromrdataset: error reading /etc/bind/keys/Ksomedomain.com.+008+16000.private: file not found
> dns_dnssec_findzonekeys2: error reading /etc/bind/keys/Ksomedomain.com.+008+16000.private: file not found
> ==========================================================================
> 
> It stills publishes the DNSKEY in the signed zone. I would like to ideally correct this by forcing bind to discard the old keys. Is this possible to do? And if yes, how?
> 
> Regards,
> 
> Arnold
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org