DNSSEC algo rollover fails to delete old keys

Wed Oct 16 08:03:18 UTC 2024

If you provide the output of `rndc dnssec -status` it might give a hint 
why the keys are still published.

I suspect that BIND needs to be told that the DS has been withdrawn for 
the parent zone (assuming you don't have parental-agents set up).

For future algorithm rollovers: You can just change from "algo8" to 
"algo13", no need to have an intermittent "algo8-13" policy.

Best regards,

Matthijs

On 10/16/24 02:54, Arnold DECHAMPS wrote:
> Hello everyone,
> 
> I made a algo rollover in DNSSEC from algo 8 to algo 13.
> 
> Software version : 9.18.28-1~deb12u2-Debian
> 
> My zone configuration refers to policies :
> 
> ==========================================================================
> 
> dnssec-policy "algo8" {
>      keys {
>          ksk lifetime unlimited algorithm rsasha256;
>          zsk lifetime 30d algorithm rsasha256;
>      };
>      max-zone-ttl 1d;
>      signatures-validity 14d;
>      signatures-refresh 7d;
> };
> 
> dnssec-policy "algo13" {
>      keys {
>          ksk lifetime unlimited algorithm 13;
>          zsk lifetime 30d algorithm 13;
>      };
>      max-zone-ttl 1d;
>      signatures-validity 14d;
>      signatures-refresh 7d;
> };
> 
> dnssec-policy "algo8-13" {
>      keys {
>          ksk lifetime unlimited algorithm rsasha256;    // Old Algo
>          zsk lifetime 30d algorithm rsasha256;        // Old Algo
>      ksk lifetime unlimited algorithm 13;        // New Algo
>          zsk lifetime 30d algorithm 13;            // New Algo
>      };
>      max-zone-ttl 1d;
>      signatures-validity 14d;
>      signatures-refresh 7d;
> };
> 
> ==========================================================================
> 
> The zone config looks like :
> 
> ==========================================================================
> 
> zone "somedomain.com"{
>      ...
>      inline-signing yes;
>          dnssec-policy "algo13";
>          key-directory "/etc/bind/keys";
> };
> 
> ==========================================================================
> 
> 
> The initial idea was to switch the config of the domains that had to be 
> rolled over to algo8-13 and temporarily have both keys in the zone 
> waiting for the TTL of the DS records to expire. This was successful and 
> algo 13 is now in use. I then switched to the algo13 policy and deleted 
> the algo 8 keys of my keys directory.
> 
> At this point, Bind sees that all the algo 8 keys are expired. It also 
> see's that it can't find the files anymore (which prevents me from using 
> dnssec-settime as far as I know).
> 
> ==========================================================================
> dns_dnssec_keylistfromrdataset: error reading 
> /etc/bind/keys/Ksomedomain.com.+008+16000.private: file not found
> dns_dnssec_findzonekeys2: error reading 
> /etc/bind/keys/Ksomedomain.com.+008+16000.private: file not found
> ==========================================================================
> 
> It stills publishes the DNSKEY in the signed zone. I would like to 
> ideally correct this by forcing bind to discard the old keys. Is this 
> possible to do? And if yes, how?
> 
> Regards,
> 
> Arnold