Why should you want them to go away while you still have DS records referencing them?
You also have a CDS record referencing a DNSKEY that dnssec-policy doesn’t seem to know about. sienawx.us. 2892 IN CDS 49366 8 2 60E3D64328B3D8929838FD1F2AB03CD5C8C72E3185C667B059E00157 D95F8CED The DS records need to be removed before the DNSKEYs referencing them go. Also does your registrar support CDS/CDNSKEY or do you need to manually update the DS records? Based on https://support.google.com/domains/answer/6387342?hl=en&ref_topic=9018335 I’d say no Mark % dig lerctr.net ds ;; BADCOOKIE, retrying. ; <<>> DiG 9.17.22 <<>> lerctr.net ds ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46574 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 61d83398feb22dcc01000000626f31afa85af3f9e59685a3 (good) ;; QUESTION SECTION: ;lerctr.net. IN DS ;; ANSWER SECTION: lerctr.net. 86400 IN DS 56326 8 2 6D8570580160E5EB05BD9ACA38FD0DE6F58796D5C8D8286319944C2D AC10588B lerctr.net. 86400 IN DS 43159 13 2 924A3AA6EBD540CBAA086F472A10C4028CEA4D80BCF79EE89AC4258B 1C2A77F6 lerctr.net. 86400 IN DS 12796 8 2 E227022B9D50905F9433440F99B6EEFAC405E3749BC85D9E080E7E5C 96BE7B30 lerctr.net. 86400 IN DS 19884 8 2 96455491FBB7BEF8B4B0900903651467A4439752F01F17CC26C629A1 0FFCEB10 ;; Query time: 1149 msec ;; SERVER: ::1#53(::1) (UDP) ;; WHEN: Mon May 02 11:19:43 AEST 2022 ;; MSG SIZE rcvd: 259 % dig cds lerctr.net ;; BADCOOKIE, retrying. ; <<>> DiG 9.17.22 <<>> cds lerctr.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 205 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 84426f6e7a374a3701000000626f31d133d8bf1be58d8f01 (good) ;; QUESTION SECTION: ;lerctr.net. IN CDS ;; ANSWER SECTION: lerctr.net. 3600 IN CDS 39581 13 2 406BD487D1FC1573A9E8B4F6F2F0F0D740CB10EC0A90CF2398856DE8 85166F0F ;; Query time: 2621 msec ;; SERVER: ::1#53(::1) (UDP) ;; WHEN: Mon May 02 11:20:17 AEST 2022 ;; MSG SIZE rcvd: 115 % % dig ds sienawx.us ;; BADCOOKIE, retrying. ; <<>> DiG 9.17.22 <<>> ds sienawx.us ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2699 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: e9ef7c1d464cfb4a01000000626f35595756c5c64e7fa839 (good) ;; QUESTION SECTION: ;sienawx.us. IN DS ;; ANSWER SECTION: sienawx.us. 2887 IN DS 49366 8 2 60E3D64328B3D8929838FD1F2AB03CD5C8C72E3185C667B059E00157 D95F8CED sienawx.us. 2887 IN DS 17471 8 2 4C1FF0CD2F5BB46B3929BC1A4754379E1A90669667CDC600407828DD 1896366D sienawx.us. 2887 IN DS 29251 13 2 CE68A1AB764862F85A3A2D48C276A19949571428E3615ACB31F768A5 43E969B0 sienawx.us. 2887 IN DS 36004 8 2 B005D81CCF01AACB87FD866F854E00AFDBC2985191D04EB4ADD0511C 362CE07E ;; Query time: 0 msec ;; SERVER: ::1#53(::1) (UDP) ;; WHEN: Mon May 02 11:35:21 AEST 2022 ;; MSG SIZE rcvd: 259 % dig cds sienawx.us ;; BADCOOKIE, retrying. ; <<>> DiG 9.17.22 <<>> cds sienawx.us ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54322 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: c5452feeafb797a901000000626f355e0bec2b530769829f (good) ;; QUESTION SECTION: ;sienawx.us. IN CDS ;; ANSWER SECTION: sienawx.us. 2892 IN CDS 49366 8 2 60E3D64328B3D8929838FD1F2AB03CD5C8C72E3185C667B059E00157 D95F8CED sienawx.us. 2892 IN CDS 29251 13 2 CE68A1AB764862F85A3A2D48C276A19949571428E3615ACB31F768A5 43E969B0 ;; Query time: 0 msec ;; SERVER: ::1#53(::1) (UDP) ;; WHEN: Mon May 02 11:35:26 AEST 2022 ;; MSG SIZE rcvd: 163 % > On 2 May 2022, at 06:51, Larry Rosenman <l...@lerctr.org> wrote: > > I have 2 domains where I switched from Alg 8 to Alg 13, but the old keys > don't seem to be going away. > > Attached are the state files, and the rndc dnssec -status outputs. > > Ideas? > > -- > Larry Rosenman http://www.lerctr.org/~ler > Phone: +1 214-642-9640 E-Mail: l...@lerctr.org > US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106 > <sienawx.us.state><lerctr.net.state><bind-keys-issue.tar.gz>-- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
