I'm doing a rollover of my KSK and ZSK (concurrent with a server transfer) and BIND (version 9.16.23) has started causing problems for me. I have the following keys in my directory:
; Kexample.ca.+007+10274.key
; This is a zone-signing key, keyid 10274, for example.ca.
; Created: 20170629213318 (Thu Jun 29 17:33:18 2017)
; Publish: 20170629213318 (Thu Jun 29 17:33:18 2017)
; Activate: 20170629213318 (Thu Jun 29 17:33:18 2017)
; Inactive: 20221016000000 (Sat Oct 15 20:00:00 2022)
; Delete: 20221101000000 (Mon Oct 31 20:00:00 2022)
example.ca. IN DNSKEY 256 3 7 AwEAAdrZTmbJJiG5DpbDxB4hFsC5h5HfvClN2hCqCTM+K/mL6yUuGNMK
...
; Kexample.ca.+007+56883.key
; This is a key-signing key, keyid 56883, for example.ca.
; Created: 20170629213331 (Thu Jun 29 17:33:31 2017)
; Publish: 20170629213331 (Thu Jun 29 17:33:31 2017)
; Activate: 20170629213331 (Thu Jun 29 17:33:31 2017)
; Inactive: 20221013000000 (Wed Oct 12 20:00:00 2022)
; Delete: 20221015000000 (Fri Oct 14 20:00:00 2022)
example.ca. IN DNSKEY 257 3 7 AwEAAco64iLFxmdJo71EVDcgoU7fCf+KtGVVb5qNJ5Cqy2fIfQ14lfpi
...
; Kexample.ca.+015+37539.key
; This is a zone-signing key, keyid 37539, for example.ca.
; Created: 20221003223624 (Mon Oct 3 18:36:24 2022)
; Publish: 20221003223624 (Mon Oct 3 18:36:24 2022)
; Activate: 20221015000000 (Fri Oct 14 20:00:00 2022)
example.ca. IN DNSKEY 256 3 15 d5jO/VChUOdTxJbFIT/JnUC...
; Kexample.ca.+015+44951.key
; This is a key-signing key, keyid 44951, for example.ca.
; Created: 20221014002306 (Thu Oct 13 20:23:06 2022)
; Publish: 20221014002306 (Thu Oct 13 20:23:06 2022)
; Activate: 20221014000000 (Thu Oct 13 20:00:00 2022)
example.ca. IN DNSKEY 257 3 15 yTweQBDrmRQB9TlRCw5UjfLm...
And a standard zone config:
zone "example.ca" IN {
type master;
file "dynamic/db.example.ca.signed";
auto-dnssec maintain;
update-policy {
grant "local-nsupdate-key" zonesub ANY;
};
};
So as you can see from the dates, the old RSA keys should have stopped being used by now, replaced with the ED25519 keys. But this is not the case. What BIND is doing now is signing almost all the records in the zone (the NSEC records are correctly signed by only the current ZSK) with the old inactive ZSK, the new ZSK, and the new KSK:
A 1.234.56.7
RRSIG A 7 2 7200 (
20221108175559 20221009172553 10274 example.ca.
OWuM4QbyhPMHAdAar3VN2UwtnQdNuAJ6SI638fjA7Qwi
awbXkiWDmoMu0gPi+96f7sECeePFcrGhZwWNBaNOZM5k
adrzaU74LyRB6uKNJ8+oJyk8gLWyLP70iuxxKqmvJyra
sQ7evDHQOeN68VohLw+dnvsyPQt2gjyPwq+3KOyPBnu9
WAQMfPsI5ApDj2bKodZ+YPbeGtphNFmLUo4dDvgDmTaP
uVlFv/y8BcZVmtG5OzPk0eRmQR8z61NWU5/vLDA1BdnR
3YxH0GCYAS6uD69KpAdi8vCoPKrz+SapY4ZVOcIqljGK
j8G6AmXBL1lPYbqUZl3+b0R25rKbdgOKeg== )
RRSIG A 15 2 7200 (
20221109073728 20221014123919 44951 example.ca.
nsK1mxNMwkpYODNwR/VggyHKhFaOd2+ZQtQxn8Np6X/Q
N3s+ziXwvuP+ShizVVwupfzXydkZTtBmK0lLzqOWAg== )
RRSIG A 15 2 7200 (
20221108202820 20221016223139 37539 example.ca.
Fj//9E+jgVtMPiltKit8cKMO3Q1XzAO9uGM9eWS2kcA9
t1JQfzhPP/0z0bw5OpSjjCfP8qnvbuJDHk+aG0MIAQ== )
Aside from the date issue, this should not be happening, and is not happening with other DNSSEC zones I manage. Why is BIND bungling this zone so badly? (Or, why am I misunderstanding this so badly?!)
Debug log output showing what happens when I run rndc sign example.ca
is available, if it's useful. Doesn't look too helpful to my eyes though.