Cannot import keys into dnssec-policy
Matthijs Mekking
matthijs at isc.org
Mon Apr 7 14:28:07 UTC 2025
Hi,
I have tried to reproduce but when I am issuing a rollover it selects
the key I generate previously, as expected.
If you believe this is a genuine bug, please support a bug report:
https://gitlab.isc.org/isc-projects/bind9/-/issues/new?issuable_template=Default
and fill in the steps how to reproduce the issue.
Any logs (preferably debug level 3) would then also be greatly appreciated.
Thanks, best regards,
Matthijs
On 3/26/25 14:51, Nguyen Thi Minh Tam via bind-users wrote:
> "Hi, I'm trying version 9.18.31.
>
> According to the post on
> https://kb.isc.org/docs/dnssec-key-and-signing-policy
> <https://kb.isc.org/docs/dnssec-key-and-signing-policy>, the policy
> normally generates keys when they are needed. However, we can generate
> the DNSSEC keys ourselves first, and when the policy requires a new key,
> it will select the one we created.
>
> There is even an example in that post.
>
> So, I followed that approach. I generated a new key that matches the
> policy and placed it in the key directory. However, when it was time to
> roll the key, my key was retired, and the policy generated a new one
> instead.
>
> Here is my policy:"
>
>
> dnssec-policy "hosting key" {
> dnskey-ttl PT1M;
> keys{
> ksk key-directory lifetime P1Y algorithm RSASHA256 2048;
> zsk key-directory lifetime P30D algorithm RSASHA256 2048;
> };
>
> And i run this command to generate the next key:
>
> dnssec-keygen -a 8 -b 2048 -n ZONE -K /data/keys/policy.com/ policy.com
> i even tried
> dnssec-keygen -k "hosting key" -l /etc/named.conf -K
> /data/keys/policy.com/ policy.com
>
> so im pretty sure the new key matches the policy. But still, they all
> got retired.
>
> Plz help.
>
> Best regards,
> Tam
>
>
More information about the bind-users
mailing list