[DNSSEC] when remove KSK from file system

Matthijs Mekking matthijs at isc.org
Wed Mar 19 14:29:40 UTC 2025 

You can set 'purge-keys' to a value you feel comfortable with. By 
default it is set to 90 days, so after 90 days the key is completely 
hidden, it will be removed from disk.

Best regards,

Matthijs

On 19-03-2025 09:29, adrien sipasseuth wrote:
> Hello,
> 
> I use Bind 9.20.4, with KASP policy to setup DNSSEC on some zone.
> When a KSK are "hidden" and present with "rndc dnssec -status <zone>",
> i moved it to an archive repository.
> 
> But this generate many logs :
> mars 19 09:15:46 xxxxxxxxxxxxxxx named[2378461]: 19-Mar-2025
> 09:15:46.149 dnssec: error: zone bxxxxxxxxxxxxxxx/IN (signed):
> zone_rekey:zone_verifykeys failed: some key files are missing
> mars 19 09:15:46 xxxxxxxxxxxxxxx named[2378461]: 19-Mar-2025
> 09:15:46.149 dnssec: info: zone bxxxxxxxxxxxxxxx/IN (signed):
> reconfiguring zone keys
> mars 19 09:15:46 xxxxxxxxxxxxxxx named[2378461]: 19-Mar-2025
> 09:15:46.153 dnssec: debug 1: zone bxxxxxxxxxxxxxxx/IN (signed):
> verifykeys: key bxxxxxxxxxxxxxxx/ECDSAP256SHA256/2610 - not available
> 
> 
> And this de content state file from this KSK :
> ; This is the state of key 2610, for bxxxxxxxxxxxxxxx.
> Algorithm: 13
> Length: 256
> Lifetime: 63072000
> Successor: 15728
> KSK: yes
> ZSK: no
> Generated: 20240205133815 (Mon Feb  5 14:38:15 2024)
> Published: 20240205133815 (Mon Feb  5 14:38:15 2024)
> Active: 20240205133815 (Mon Feb  5 14:38:15 2024)
> Retired: 20250219143815 (Wed Feb 19 15:38:15 2025)
> Removed: 20250220163815 (Thu Feb 20 17:38:15 2025)
> DSPublish: 20240911083829 (Wed Sep 11 10:38:29 2024)
> DSRemoved: 20250220093816 (Thu Feb 20 10:38:16 2025)
> PublishCDS: 20240206144315 (Tue Feb  6 15:43:15 2024)
> DSPubCount: 4
> DNSKEYChange: 20250221124316 (Fri Feb 21 13:43:16 2025)
> KRRSIGChange: 20250221124316 (Fri Feb 21 13:43:16 2025)
> DSChange: 20250221113816 (Fri Feb 21 12:38:16 2025)
> DNSKEYState: hidden
> KRRSIGState: hidden
> DSState: hidden
> GoalState: hidden
> 
> So when can i "archive" / remove from file system my expired KSK ?
> 
> Regards,
> Adrien SIPASSEUTH

More information about the bind-users mailing list