On 12/28/23 12:58, Adrian Zaugg wrote:
Hi Nick
Not changing the key algo does help indeed when introducing dnssec-policy, see
the log below. Thank you very much for pointing this out.
But I do not understand why BIND deletes valid and published keys, just
because there should be another algo used. Couldn't this be done in a smooth
key rollover process aswell? Maybe someone with more insights than I have,
could explain this behaviour. Thanks!
I suspect because it did not have the right key states set. In order to
do this all automatically we need to maintain state. Prior to
dnssec-policy there is no such state. When migrating to dnssec-policy we
try to derive the key states from the key timing metadata in the key files.
You should check if the migration is complete and all key states are in
omnipresent. You can do so with 'rndc dnssec -status <zone>'. From that
point on it should be safe to make policy configuration changes, such as
algorithm rolls, and old keys are phased out smoothly.
I am thinking of adding an additional safety mechanism during migration,
because you are not the first one to do this.
Best regards,
Matthijs
Best regards, Adrian.
Log of successful change from auto-dnssec to dnssec-policy (using the same
algo):
2023-12-28 11:53:00: zone myzone.ch/IN (signed): generated salt: [...]
2023-12-28 11:53:00: zone myzone.ch/IN (signed): checkds: set 4 parentals
2023-12-28 11:53:01: zone myzone.ch/IN (signed): zone_addnsec3chain(1,CREATE,
32,[...])
2023-12-28 11:53:01: zone myzone.ch/IN (signed): reconfiguring zone keys
2023-12-28 11:53:01: keymgr: DNSKEY myzone.ch/ECDSAP256SHA256/50817 (ZSK)
created for policy mypolicy_ecdsa
2023-12-28 11:53:01: Permissions on the file /var/lib/bind/keys/Kmyzone.ch.
+013+61287.private have changed from 0640 to 0600 as a result of this
operation.
2023-12-28 11:53:01: Permissions on the file /var/lib/bind/keys/Kmyzone.ch.
+013+38348.private have changed from 0640 to 0600 as a result of this
operation.
2023-12-28 11:53:01: Fetching myzone.ch/ECDSAP256SHA256/50817 (ZSK) from key
repository.
2023-12-28 11:53:01: Key myzone.ch/ECDSAP256SHA256/50817: Delaying activation
to match the DNSKEY TTL (86400).
2023-12-28 11:53:01: DNSKEY myzone.ch/ECDSAP256SHA256/50817 (ZSK) is now
published
2023-12-28 11:53:01: DNSKEY myzone.ch/ECDSAP256SHA256/50817 (ZSK) is now
active
2023-12-28 11:53:01: CDS for key myzone.ch/ECDSAP256SHA256/61287 is now
published
2023-12-28 11:53:01: CDNSKEY for key myzone.ch/ECDSAP256SHA256/61287 is now
published
2023-12-28 11:53:01: zone myzone.ch/IN (signed): next key event: 28-Dec-2023
12:53:01.176
2023-12-28 11:53:01: zone myzone.ch/IN (signed): sending notifies (serial
2021010692)
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
