dnssec/obsolete dns keys removal - how to?

Florian Piekert floppy at floppy.org
Fri Jun 20 14:20:37 UTC 2025 

Dear all,

I have tried some faulty ways to setup dnssec for some of my domains about a month ago. This resulted in the creation of several ZSK, KSK and CSK dnssec keys (and files) until I got a configuration that actually was working as it should. Due to proper ignorance and non-knowledge I deleted those files somewhen in between while trying.

After a while I got a correct working setup (using the default *facepalm*).
Although I have then successfully managed to get the correct key setup into the DS with the root tld zones, I have mysterious DNSKEY entries on my bind installations for these particular domains that I do not seem to get rid of.

I do not have the initially created key files anymore, they are nowhere referenced in bind configuration of the zones or anywhere in bind.

I even deleted the /var/lib/bind/ directory contents of the master and secondaries, restarted all bind binaries. They are still there. And yes, I shutdown all binds, deleted the files, restarted them again. Still somewhere existing.

How do I get these obsolete entries removed?

The working (and now current) setup is simply the default
...
   dnssec-policy default;
   key-directory "/etc/bind/zones/master/floppy-friends/rosen-roth.com-keys/";
   inline-signing yes;
   serial-update-method increment;
};
in the zone directives for the master bind.

root at theater:/etc/bind# dig rosen-roth.com. DNSKEY

; <<>> DiG 9.20.10-1+ubuntu24.04.1+deb.sury.org+1-Ubuntu <<>> rosen-roth.com. DNSKEY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37442
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: a797dbfa0e86e3030100000068556a2fa1cfa1f6c89a33aa (good)
;; QUESTION SECTION:
;rosen-roth.com.                        IN      DNSKEY

;; ANSWER SECTION:
rosen-roth.com.         3600    IN      DNSKEY  257 3 13 CtkLyrsB5YZ7Q8xXW8xNrLrXXbVt9FlQhZN4YXtAIGZ7XhIgxca3dn5s fowG0GVA5uVU3VKmZDxg3uYOWc1KVg==
rosen-roth.com.         3600    IN      DNSKEY  257 3 13 U04Pkg5Y4PVyVmGf1+d2nsjsCncm8uvVZ55Ci/UsOLVFJboaYw5UWMb4 LWNuBBNv/TDnlJT6fbhN+LockkW+iA==

root at theater:/etc/bind# rndc dnssec -status rosen-roth.com
dnssec-policy: default
current time:  Fri Jun 20 16:03:48 2025

key: 30519 (ECDSAP256SHA256), CSK
   published:      yes - since Mon Jun  2 21:20:55 2025
   key signing:    yes - since Mon Jun  2 21:20:55 2025
   zone signing:   yes - since Mon Jun  2 21:20:55 2025

   No rollover scheduled
   - goal:           omnipresent
   - dnskey:         omnipresent
   - ds:             omnipresent
   - zone rrsig:     omnipresent
   - key rrsig:      omnipresent

root at theater:/etc/bind# l zones/master/floppy-friends/rosen-roth.com-keys/
total 20
drwxrws---  2 bind bind 4096 Jun  4 23:25 ./
drwxrwsr-x 20 root bind 4096 Jun 20 15:54 ../
-rw-r--r--  1 bind bind  409 Jun  4 23:25 Krosen-roth.com.+013+30519.key
-rw-------  1 bind bind  241 Jun  4 23:25 Krosen-roth.com.+013+30519.private
-rw-r--r--  1 bind bind  727 Jun  4 23:25 Krosen-roth.com.+013+30519.state

https://dnsviz.net/d/rosen-roth.com/analyze/
shows that the key id 30519 is used as it should.

But the other key 46018 exists there, signed by 30519 apparently. The 46018 is expired now, which is probably good, but how the h* do I get this thing "deleted"? I do not know where this "key" is "hiding"...

I have 2 more domains, one even suffers from 4 existing keys (3 phantom).

Btw, I did NOT submit those "obsolete" keys for entry in the corresponding .tld zone DS lists...

Any pointers would be highly appreciated.

root at theater:/etc/bind# named -version
BIND 9.20.10-1+ubuntu24.04.1+deb.sury.org+1-Ubuntu (Extended Support Version) <id:>
(existed with the 9.20.9.... as well)

Florian

More information about the bind-users mailing list