<html><head><meta http-equiv="content-type" content="text/html; charset=us-ascii"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;"><div>Hi all,</div><div><br></div><div>I'm probably missing something obvious here, but I'm trying to figure out how to "delete" a DNSKEY from zone that uses inline signing. The zone statement looks like this:</div><div><br></div><div><div><span class="Apple-tab-span" style="white-space:pre"> </span>zone "dns-lab.info" {</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>type master;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>file "/var/cache/bind/db.dns-lab.info";</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>dnssec-policy alg8;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>inline-signing yes;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>};</div></div><div><br></div><div>This is the current state:</div><div><br></div><div><a href="https://dnsviz.net/d/dns-lab.info/ZrMLNw/dnssec/">https://dnsviz.net/d/dns-lab.info/ZrMLNw/dnssec/</a></div><div><br></div><div>Or:</div><div><br></div><div><div>$ sudo rndc dnssec -status dns-lab.info</div><div>dnssec-policy: alg8</div><div>current time: Tue Aug 6 23:48:14 2024</div><div><br></div><div>key: 50277 (ECDSAP256SHA256), CSK</div><div> published: yes - since Thu Oct 19 09:59:06 2023</div><div> key signing: yes - since Thu Oct 19 09:59:06 2023</div><div> zone signing: yes - since Thu Oct 19 09:59:06 2023</div><div><br></div><div> Rollover is due since Thu Oct 26 16:11:03 2023</div><div> - goal: hidden</div><div> - dnskey: omnipresent</div><div> - ds: unretentive</div><div> - zone rrsig: omnipresent</div><div> - key rrsig: omnipresent</div><div><br></div><div>key: 48266 (RSASHA256), CSK</div><div> published: yes - since Thu Oct 26 16:11:03 2023</div><div> key signing: yes - since Thu Oct 26 16:11:03 2023</div><div> zone signing: yes - since Thu Oct 26 16:11:03 2023</div><div><br></div><div> No rollover scheduled</div><div> - goal: omnipresent</div><div> - dnskey: omnipresent</div><div> - ds: rumoured</div><div> - zone rrsig: omnipresent</div><div> - key rrsig: omnipresent</div></div><div><br></div><div><div>Note that keys with two DNSSEC algorithms are in the zone, which might be complicating things... ?</div></div><div><br></div><div>Now I use dnssec-settime to give key 50277 a "delete date":</div><div><br></div><div>$ sudo -u bind dnssec-settime -D+5mi /var/cache/bind/Kdns-lab.info.+013+50277.</div><div>/var/cache/bind/Kdns-lab.info.+013+50277.key</div><div>/var/cache/bind/Kdns-lab.info.+013+50277.private</div><div><br></div><div>It seems to work:</div><div><br></div><div><div>$ sudo cat /var/cache/bind/Kdns-lab.info.+013+50277.key | grep Delete</div><div>; Delete: 20240807054556 (Tue Aug 6 23:45:56 2024)</div><div><br></div></div><div><div>$ sudo /etc/init.d/named reload</div><div>Reloading named configuration (via systemctl): named.service.</div></div><div><br></div><div>I'm not really sure what the following lines mean in the log because they don't seem to correspond to the times in the key file.</div><div><br></div><div><div>$ sudo tail -100 /var/log/syslog | grep key</div><div>2024-08-06T23:41:10.353023-06:00 bass named[216234]: zone dns-lab.info/IN/authoritative-only (signed): reconfiguring zone keys</div><div>2024-08-06T23:41:10.356705-06:00 bass named[216234]: keymgr: retire DNSKEY dns-lab.info/ECDSAP256SHA256/50277 (CSK)</div><div>2024-08-06T23:41:10.356888-06:00 bass named[216234]: zone dns-lab.info/IN/authoritative-only (signed): next key event: 07-Aug-2024 00:41:10.345</div><div><br></div></div><div>However, nothing ever changes with key 50277. <span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">I've done all this multiple times over several days. </span>It continues to sign records when I add records to the zone. If someone has ideas to point me in the right direction, that would be great.</div><div><br></div><div><div>$ /usr/sbin/named -v</div><div>BIND 9.18.28-1~deb12u2-Debian (Extended Support Version) <id:></div></div><div><br></div><div><br></div>
Thanks,<div>Casey</div></body></html>