Just give it time. Named will choose the appropriate DNSKEY when it comes time to re-sign the RRset.
-- Mark Andrews > On 3 Sep 2021, at 03:26, Timothy A. Holtzen <t...@nebrwesleyan.edu> wrote: > > Okay, so if I'm interpreting this correctly. When the new alg 14 KSKs > were created and then the zone was signed (either automatically or via a > command) there was probably only a valid alg 8 ZSK available. As a > result bind used the alg 14 KSK as a defacto CSK and singed the zone > RRSets directly. This would make sense given the nature of the issue I > had with my key rotation process. However now I have both valid alg 8 > and alg 14 ZSK available. Is there a way to go back and get bind to > re-evaluate the zone to recognize the valid ZSK records and sign them only? > > Timothy A. Holtzen > Campus Network Administrator > Nebraska Wesleyan University > Public PGP ECC Curve 25519 Key: 11A2 3FDB AD70 12CA D77D C7DD DFFB 7662 24E6 > C30D > Old Public PGP RSA key: CFB4 3AE8 B726 DEBF 00D9 CCFC 426E 76AF DABC B3D7 > >> On 8/31/21 18:07, Mark Andrews wrote: >> Named will continually re-sign parts of the zone as the RRSIGs for a RRset >> fall due >> for replacement. Named looks at which keys are in the active state to >> determine along >> with the afore mentioned controls to work out which DNSKEYs will be used to >> re-sign the >> RRset. If in the past you only had one key type and you now have two, >> different keys >> may be used to re-sign the RRset. If you changed policy in named.conf, the >> new policy >> will be implemented as the RRSIGs are re-generated. >> >> It looks like you told named to re-sign the zone when there was only one >> type of DNSKEY >> key record (or you where unlucky enough for named to check the available >> keys whiles there >> was only one active key present) resulting in named overriding the policy in >> named.conf. >> >> Mark >> >>>> On 1 Sep 2021, at 03:44, Timothy A. Holtzen via bind-users >>>> <bind-users@lists.isc.org> wrote: >>> >>> I'm using Algorithm 8 RSA/SHA-256, and Algorithm 14 ECDSA/SHA-384. I >>> have one RSA KSK and one RSA ZSK. In addition I have two ECDSA KSK and >>> two ECDSA ZSK. The RSA KSK seems perfectly happy to sign the ECDSA >>> ZSKs. And both the RSA and ECDSA ZSKs seem to be singing records >>> correctly. It just seems to be the two newer ECDSA KSKs that instead of >>> signing the ZSKs are singing the domain records directly. >>> >>> Even more perplexing is that one of the domains seems to have fixed >>> itself. Now all the KSKs for that domain are singing the ZSKs and the >>> ZSKs are signing the domain records. But I've still got a couple of >>> other domains where it is doing it wrong. Is there some kind of timeout >>> or maintenance that gets run automatically that might have fixed the >>> issue? I've tried running an "rndc sign" command on the domains several >>> times. >>> >>> Timothy A. Holtzen >>> Campus Network Administrator >>> Nebraska Wesleyan University >>> Public PGP ECC Curve 25519 Key: 11A2 3FDB AD70 12CA D77D C7DD DFFB 7662 >>> 24E6 C30D >>> Old Public PGP RSA key: CFB4 3AE8 B726 DEBF 00D9 CCFC 426E 76AF DABC B3D7 >>> >>> On 8/30/21 17:40, raf via bind-users wrote: >>>> On Mon, Aug 30, 2021 at 10:13:05AM -0700, Chris Buxton >>>> <cli...@buxtonfamily.us> wrote: >>>> >>>>> What algorithm(s) are you using for ZSK and KSK? If they’re not the >>>>> same algorithm, then both will be used to sign the entire zone. >>>>> >>>>> Regards, >>>>> Chris Buxton >>>> Just out of curiosity, why is that? >>>> Isn't having the KSK sign the ZSK enough? >>>> What difference does the nature of the thing >>>> being signed make? >>>> >>>> cheers, >>>> raf >>>> >>>> _______________________________________________ >>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >>>> unsubscribe from this list >>>> >>>> ISC funds the development of this software with paid support >>>> subscriptions. Contact us at https://www.isc.org/contact/ for more >>>> information. >>>> >>>> >>>> bind-users mailing list >>>> bind-users@lists.isc.org >>>> https://lists.isc.org/mailman/listinfo/bind-users >>> _______________________________________________ >>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >>> unsubscribe from this list >>> >>> ISC funds the development of this software with paid support subscriptions. >>> Contact us at https://www.isc.org/contact/ for more information. >>> >>> >>> bind-users mailing list >>> bind-users@lists.isc.org >>> https://lists.isc.org/mailman/listinfo/bind-users > _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users