Re: [BIND-users] DNSSEC Key Management: Using dnssec-policy with Externally Generated Keys — KASP Auto-Retiring Newly Copied Keys

[Petr Špaček]

On 19. 03. 26 10:18, Matthijs Mekking wrote:
> On 3/18/26 13:11, Nagesh Thati wrote:
>> I wanted to follow up on my earlier question regarding using dnssec- 
>> policy with externally generated keys in BIND 9.18.35 and share that 
>> the suggested approach worked successfully.
>>
>> To summarize what worked for our implementation:
>>
>> 1. Using the -G flag with dnssec-keygen to generate pregenerated keys 
>> with no timing metadata (only the Created field is present). This was 
>> the key insight we were missing — our keys previously had full timing 
>> metadata which caused BIND's KASP engine to mishandle them.
> 
> Sounds good.
> 
> 
>> 2. Copying the pregenerated keys to the key directory and running 
>> 'rndc loadkeys' is sufficient for BIND to detect and schedule the 
>> rollover automatically. There is no need to run 'rndc dnssec - 
>> rollover' for normal lifecycle rollovers — doing so prematurely caused 
>> immediate key deletion in our testing, bypassing the double-signature 
>> phase entirely.
> 
> Correct. Only if you have key lifetime unlimited, you will need to run 
> 'rndc dnssec -rollover'. Some operators like to control when they start 
> rolling their key (external to BIND 9), but you can rely on dnssec- 
> policy's key lifetime, as long as you pregenerate the keys before the 
> successor needs to be pre-published.

Wondering out loud:
Could the new 'manual' mode in dnssec-policy be even better? It would 
prevent any automatic change at all, resulting in better external control.

-- 
Petr Špaček