Join Log in
Score:0
Tenders McChiken avatar Server

How do I prevent Bind from retiring non-expiring DNSSEC keys when using DNSSEC Policy?

eg flag
Tenders McChiken

To control when signatures expire, I've switched to using dnssec-policy to generate DNSSEC records for my zones. This has solved the issue of getting RRSIG records to expire when they should but introduced a new problem of its own.

bind9 is now constantly attempting to retire my non-expiring KSK and ZKS keys. How do I configure bind not to attempt any key rotation when the keys never expire?

This is the relavent portion of my logs:

named[5078]: keymgr: retire DNSKEY example.com/ED25519/00000 (KSK)
named[5078]: keymgr: DNSKEY example.com/ED25519/50916 (ZSK) created for policy example-com-policy
named[5078]: zone example.com/IN (signed): zone_rekey:dns_dnssec_keymgr failed: error occurred writing key to disk

Some more info on my setup:

  1. KSK and ZSK keys were generated by running:

    dnssec-keygen -a ED25519 -f KSK example.com
dnssec-keygen -a ED25519 example.com

  2. Policy declaration in named.conf.local:

    dnssec-policy example-com-policy {
  dnskey-ttl 300;
  keys {
      ksk key-directory lifetime unlimited algorithm ED25519;
      zsk key-directory lifetime unlimited algorithm ED25519;
  };
  max-zone-ttl 300;
  parent-ds-ttl 300;
  parent-propagation-delay 2h;
  publish-safety 7d;
  retire-safety 7d;
  signatures-refresh 1439h;
  signatures-validity 90d;
  signatures-validity-dnskey 90d;
  zone-propagation-delay 2h;
};

  3. Zone declaration in named.conf.local:

    zone "example.com" {
     type master;
     file ".../db.example.com";
     allow-transfer  { ... };
     also-notify     { ... };

     key-directory "...";
     serial-update-method unixtime;
     dnssec-policy example-com-policy;
};

  4. and the contents of .../db.example.com:

    $TTL 300
@    IN  SOA ns1.example.com. admin.example.com. (
         1634019890      ; Serial
         10m             ; Refresh
         20m             ; Retry
         9w              ; Expire
         1h )            ; Negative Cache TTL
;

example.com. IN  NS  ns1.example.com.
example.com. IN  NS  ns2.example.com.

; ...

  5. System information:

    • bind9 9.16.15-debian
    • Debian 11 (latest stable)
    • Default apparmor configuration
    • named has read-only access to the keys directory

2021-10-22 Update

The timing information for both keys (according to dnssec-settime -p all) is:

Created: Sun Oct 10 07:51:48 2021
Publish: Sun Oct 10 07:51:48 2021
Activate: Sun Oct 10 07:51:48 2021
Revoke: UNSET
Inactive: UNSET
Delete: UNSET
SYNC Publish: UNSET
SYNC Delete: UNSET
DS Publish: UNSET
DS Delete: UNSET
214
0 + 0
pl flag
Adrian Zaugg
Timing information is saved in the keys aswell, use dnssec-settime to modify: See under https://dnssec-guide.readthedocs.io/en/latest/signing.html#setting-key-timing-information. Does this solve your problem?
0
Reply
Tenders McChiken avatar
eg flag
Tenders McChiken
Since the keys never expire, I'm not sure that the timing information embedded in my keys is what's causing this issue. I've edited my post to include the timing information for the two keys.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.