Persistance of SKR file in offline KSK configuration
Jakub Suchý
suchy at dwiggy.net
Sat Apr 4 16:43:06 UTC 2026
Hello,
I am trying to use offline ksk setup. I have the question regarding the SKR file persistance.
Should the SKR persist across restarts, or is it expected that it must be re-imported after each server reboot?
I have this dnssec-policy:
dnssec-policy "offlineksk" {
offline-ksk yes;
inline-signing yes;
publish-safety PT12H;
retire-safety PT12H;
keys {
ksk lifetime P5Y algorithm 8 2048;
zsk lifetime P6M algorithm 8 2048;
};
};
and this zone config:
view "view-lan" {
...
zone "domain.tld" {
type primary;
notify no;
file "/var/lib/bind/zones/domain.tld.zone";
dnssec-policy "offlineksk";
key-directory "/var/lib/bind/keys";
};
};
I have no problem to generate KSR and SKR (different machine). This is a partial `grep -i signed domain.tld.skr`:
;; SignedKeyResponse 1.0 20260403153847 (Fri Apr 3 17:38:47 2026)
;; SignedKeyResponse 1.0 20260412153847 (Sun Apr 12 17:38:47 2026)
;; SignedKeyResponse 1.0 20260421153847 (Tue Apr 21 17:38:47 2026)
;; SignedKeyResponse 1.0 20260430153847 (Thu Apr 30 17:38:47 2026)
(it contains bundles for a few months.)
The load of SKR using rndc works, in logs I got, which seeems correct:
dnssec: info: zone domain.tld/IN/lan-view (signed): reconfiguring zone keys
dnssec: info: zone domain.tld/IN/lan-view (signed): next key event: 04-Apr-2026 18:34:54.243
However after restart of bind (or machine), in log there is an error regarding the SKR file:
dnssec: info: zone domain.tld/IN/lan-view (signed): reconfiguring zone keys
dnssec: error: zone domain.tld/IN/lan-view (signed): zone_rekey failure: no SKR file (retry in 600 seconds)
Does this mean I need to import the SKR after each server reboot? It works for the current SKR bundle, but that will expire in a while. Does the SKR need to be reloaded into bind when it expires if the server was restarted in the meantime?
Thank you
Best regards,
Jakub
More information about the bind-users
mailing list