Persistance of SKR file in offline KSK configuration

Matthijs Mekking matthijs at isc.org
Tue Apr 7 09:12:12 UTC 2026 

Hi Jakub,

For now, yes the SKR file needs to be imported after a restart. I admit 
we can make that a bit nicer.

If the earlier bundles in the file have expired that should be fine. 
BIND will pick the bundle according to the current date and time.

If all bundles in the file have expired (if that is what you mean by 
"the SKR expires"), it is time to create a new SKR file. Yes, that file
needs to be reloaded into BIND with 'rndc skr -import'.

Best regards,

Matthijs


On 4/4/26 18:43, Jakub Suchý wrote:
> Hello,
>   I am trying to use offline ksk setup. I have the question regarding the SKR file persistance.
> Should the SKR persist across restarts, or is it expected that it must be re-imported after each server reboot?
> 
> I have this dnssec-policy:
>      dnssec-policy "offlineksk" {
>          offline-ksk yes;
>          inline-signing yes;
>          publish-safety PT12H;
>          retire-safety PT12H;
>          keys {
>              ksk lifetime P5Y algorithm 8 2048;
>              zsk lifetime P6M algorithm 8 2048;
>          };
>      };
> 
> and this zone config:
> view "view-lan" {
>      ...
>      zone "domain.tld" {
>          type primary;
>          notify no;
>          file "/var/lib/bind/zones/domain.tld.zone";
>          dnssec-policy "offlineksk";
>          key-directory "/var/lib/bind/keys";
>      };
> };
> 
> I have no problem to generate KSR and SKR (different machine). This is a partial `grep -i signed domain.tld.skr`:
>      ;; SignedKeyResponse 1.0 20260403153847 (Fri Apr  3 17:38:47 2026)
>      ;; SignedKeyResponse 1.0 20260412153847 (Sun Apr 12 17:38:47 2026)
>      ;; SignedKeyResponse 1.0 20260421153847 (Tue Apr 21 17:38:47 2026)
>      ;; SignedKeyResponse 1.0 20260430153847 (Thu Apr 30 17:38:47 2026)
> (it contains bundles for a few months.)
> 
> The load of SKR using rndc works, in logs I got, which seeems correct:
>      dnssec: info: zone domain.tld/IN/lan-view (signed): reconfiguring zone keys
>      dnssec: info: zone domain.tld/IN/lan-view (signed): next key event: 04-Apr-2026 18:34:54.243
> 
> 
> However after restart of bind (or machine), in log there is an error regarding the SKR file:
>      dnssec: info: zone domain.tld/IN/lan-view (signed): reconfiguring zone keys
>      dnssec: error: zone domain.tld/IN/lan-view (signed): zone_rekey failure: no SKR file (retry in 600 seconds)
> 
> 
> Does this mean I need to import the SKR after each server reboot? It works for the current SKR bundle, but that will expire in a while. Does the SKR need to be reloaded into bind when it expires if the server was restarted in the meantime?
> 
> Thank you
> 
> Best regards,
> Jakub

More information about the bind-users mailing list