How do I know the key sizes of my Bind DNSSEC keys?

Morgan Wesström

2/26/24, 11:20 PM

I set up DNSSEC on my private domain many years ago and unfortunately forgot all about it. Bind now tells me it's about to deprecate auto-dnssec in favour of dnssec-policy and I need to migrate my configuration.

I can see my keys are using RSASHA256 and if I understand the documentation correctly I need to define the KSK and ZSK key sizes in the policy like this:

dnssec-policy "mypolicy" {
        keys {
                ksk lifetime unlimited algorithm RSASHA256 <key-size>;
                zsk lifetime unlimited algorithm RSASHA256 <key-size>;
        };
};

But how do I know what key-sizes I'm currently using? I created them so many years ago and no longer remember.

Regards
Morgan

0 + 1

bind

dnssec

Morgan Wesström

2/27/24, 1:04 AM

Digging deeper into this I think I figured it out myself. The information in Bind's key files are encoded with Base64. Decoding the Modulus fields from my two private key files, result in two strings, each 256 characters long. This is 2048 bits and if my Google-fu is correct, this should be the key length. So it seems I created both the KSK and ZSK with 2048 bits. Confirmation of my reasoning would be appreciated. :-)

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How do I know the key sizes of my Bind DNSSEC keys?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.