Re: Persistance of SKR file in offline KSK configuration

Tue, 07 Apr 2026 02:13:03 -0700 

Hi Jakub,
For now, yes the SKR file needs to be imported after a restart. I admit we can make that a bit nicer. 


If the earlier bundles in the file have expired that should be fine. 
BIND will pick the bundle according to the current date and time.



If all bundles in the file have expired (if that is what you mean by 
"the SKR expires"), it is time to create a new SKR file. Yes, that file

needs to be reloaded into BIND with 'rndc skr -import'.

Best regards,

Matthijs


On 4/4/26 18:43, Jakub Suchý wrote:

Hello,
  I am trying to use offline ksk setup. I have the question regarding the SKR 
file persistance.
Should the SKR persist across restarts, or is it expected that it must be 
re-imported after each server reboot?

I have this dnssec-policy:
     dnssec-policy "offlineksk" {
         offline-ksk yes;
         inline-signing yes;
         publish-safety PT12H;
         retire-safety PT12H;
         keys {
             ksk lifetime P5Y algorithm 8 2048;
             zsk lifetime P6M algorithm 8 2048;
         };
     };

and this zone config:
view "view-lan" {
     ...
     zone "domain.tld" {
         type primary;
         notify no;
         file "/var/lib/bind/zones/domain.tld.zone";
         dnssec-policy "offlineksk";
         key-directory "/var/lib/bind/keys";
     };
};

I have no problem to generate KSR and SKR (different machine). This is a 
partial `grep -i signed domain.tld.skr`:
     ;; SignedKeyResponse 1.0 20260403153847 (Fri Apr  3 17:38:47 2026)
     ;; SignedKeyResponse 1.0 20260412153847 (Sun Apr 12 17:38:47 2026)
     ;; SignedKeyResponse 1.0 20260421153847 (Tue Apr 21 17:38:47 2026)
     ;; SignedKeyResponse 1.0 20260430153847 (Thu Apr 30 17:38:47 2026)
(it contains bundles for a few months.)

The load of SKR using rndc works, in logs I got, which seeems correct:
     dnssec: info: zone domain.tld/IN/lan-view (signed): reconfiguring zone keys
     dnssec: info: zone domain.tld/IN/lan-view (signed): next key event: 
04-Apr-2026 18:34:54.243


However after restart of bind (or machine), in log there is an error regarding 
the SKR file:
     dnssec: info: zone domain.tld/IN/lan-view (signed): reconfiguring zone keys
     dnssec: error: zone domain.tld/IN/lan-view (signed): zone_rekey failure: 
no SKR file (retry in 600 seconds)


Does this mean I need to import the SKR after each server reboot? It works for 
the current SKR bundle, but that will expire in a while. Does the SKR need to 
be reloaded into bind when it expires if the server was restarted in the 
meantime?

Thank you

Best regards,
Jakub


--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list.






















					Reply via email to