DNSSEC: Why aren't the old keys going hidden?

[Larry Rosenman]

I have 2 domains where I switched from Alg 8 to Alg 13, but the old keys don't seem to be going away.

Attached are the state files, and the rndc dnssec -status outputs.

Ideas?

--
Larry Rosenman                     http://www.lerctr.org/~ler
Phone: +1 214-642-9640                 E-Mail: l...@lerctr.org
US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106

dnssec-policy: ler2
current time:  Sun May  1 15:49:25 2022

key: 22146 (RSASHA256), ZSK
  published:      yes - since Sun Apr 10 13:59:22 2022
  zone signing:   yes - since Sun Apr 10 13:59:22 2022

  Rollover is due since Mon Apr 25 09:30:37 2022
  - goal:           hidden
  - dnskey:         omnipresent
  - zone rrsig:     omnipresent

key: 29251 (ECDSAP256SHA256), KSK
  published:      yes - since Sat Apr 16 21:41:31 2022
  key signing:    yes - since Sat Apr 16 21:41:31 2022

  No rollover scheduled
  - goal:           omnipresent
  - dnskey:         omnipresent
  - ds:             omnipresent
  - key rrsig:      omnipresent

key: 17471 (RSASHA256), KSK
  published:      yes - since Sun Apr 10 13:59:22 2022
  key signing:    yes - since Sun Apr 10 13:59:22 2022

  Rollover is due since Mon Apr 25 11:35:57 2022
  - goal:           hidden
  - dnskey:         omnipresent
  - ds:             unretentive
  - key rrsig:      omnipresent

key: 17274 (ECDSAP256SHA256), ZSK
  published:      yes - since Sat Apr 16 21:41:31 2022
  zone signing:   yes - since Sat Apr 16 21:41:31 2022

  Next rollover scheduled on Fri Jul 15 19:36:31 2022
  - goal:           omnipresent
  - dnskey:         omnipresent
  - zone rrsig:     omnipresent


dnssec-policy: ler2
current time:  Sun May  1 15:48:59 2022

key: 43159 (ECDSAP256SHA256), KSK
  published:      yes - since Sat Apr 16 21:41:31 2022
  key signing:    yes - since Sat Apr 16 21:41:31 2022

  Rollover is due since Mon Apr 25 13:41:36 2022
  - goal:           hidden
  - dnskey:         omnipresent
  - ds:             unretentive
  - key rrsig:      omnipresent

key: 12796 (RSASHA256), KSK
  published:      yes - since Sun Apr 10 13:59:22 2022
  key signing:    yes - since Sun Apr 10 13:59:22 2022

  Rollover is due since Mon Apr 25 11:36:50 2022
  - goal:           hidden
  - dnskey:         omnipresent
  - ds:             unretentive
  - key rrsig:      omnipresent

key: 39581 (ECDSAP256SHA256), KSK
  published:      yes - since Mon Apr 25 09:31:36 2022
  key signing:    yes - since Mon Apr 25 09:31:36 2022

  No rollover scheduled
  - goal:           omnipresent
  - dnskey:         omnipresent
  - ds:             rumoured
  - key rrsig:      omnipresent

key: 5844 (RSASHA256), ZSK
  published:      yes - since Sun Apr 10 13:59:22 2022
  zone signing:   yes - since Sun Apr 10 13:59:22 2022

  Rollover is due since Wed Apr 27 10:54:16 2022
  - goal:           hidden
  - dnskey:         omnipresent
  - zone rrsig:     omnipresent

key: 3879 (ECDSAP256SHA256), ZSK
  published:      yes - since Sat Apr 16 21:41:31 2022
  zone signing:   yes - since Sat Apr 16 21:41:31 2022

  Next rollover scheduled on Fri Jul 15 19:36:31 2022
  - goal:           omnipresent
  - dnskey:         omnipresent
  - zone rrsig:     omnipresent

bind-keys-issue.tar.gz
Description: application/gzip

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users