BIND with dnssec-policy stops signing when removing the ZSK key files
Summary
When removing the ZSK key files from the key-directory and removing also the journal files (.signed.jnl, .jnl, .jbk), then - under certain circumstandes - BIND does create a new ZSK (after restart) but is no more able to sign the RR (neither DNSKEY-RR with the KSK nor TXT-RR with the ZSK).
BIND version used
9.16.22, self-compiled
Steps to reproduce
Perhaps this behavior has something to do with "timings" or "timers", because I needed to wait about one night (for ex. 8h), before I was able to reproduce the issue this morning again.
With this quick-and-dirty helperscript, I can reproduce this issue (after the mentioned timing) always:
#!/bin/bash
KEY_ROOT="/chroot/bind/etc/named/keys"
MASTER_DIR="/var/named/master"
[[ $# -lt 1 ]] && { echo -e "specify a zone"; exit 1; }
ZONE=$1
[[ ! -d ${KEY_ROOT}/${ZONE} ]] && { echo -e "key-dir does not exist"; exit 1; }
cd $KEY_ROOT/${ZONE}/
ZSK=$(grep -l "ZSK: yes" * | sed 's,\(.*\)\.state,\1,'g)
echo -e "ZSK found: $ZSK"
systemctl stop named
rm -f $KEY_ROOT/${ZONE}/$ZSK.*
rm -rf $MASTER_DIR/${ZONE}.hosts.*
systemctl start namedWhat is the current bug behavior?
dnssec-policy is no more signing the zone, even if I run "rndc sign example.ch":
# No RRSIG for the DNSKEY-RR
$ dig @127.0.0.1 +short +norec +dnssec dnskey example.ch
256 3 13 yzEu6qim1W01nMHAPGhB8nXM2Qb+PTJH0c5+muyy1QjVy4+dldge0Tw6 H0rckR/sNyQOAPzpsChOqqHZhSF32w==
257 3 13 f2m47DhSRftPS7dbCw8u/C2Gnek3XJyf+FpD1gJg1dl2ZXpVVtx7RsJS ML1bq3WHrWz2IRQvW/0rsvB1f3z2WQ==
# Also no RRSIG for the TXT-Record
$ dig @127.0.0.1 +short +norec +dnssec txt example.ch
"v=spf1 -all"rndc dnssec -status example.ch
$ rndc dnssec -status example.ch
dnssec-policy: thewaytogo-faster
current time: Tue Nov 30 10:09:13 2021
key: 54591 (ECDSAP256SHA256), ZSK
published: yes - since Tue Nov 30 09:59:00 2021
zone signing: no
Next rollover scheduled on Tue Dec 7 07:54:00 2021
- goal: omnipresent
- dnskey: rumoured
- zone rrsig: hidden
key: 56340 (ECDSAP256SHA256), KSK
published: yes - since Mon Nov 29 20:54:22 2021
key signing: yes - since Mon Nov 29 20:54:22 2021
No rollover scheduled
- goal: omnipresent
- dnskey: omnipresent
- ds: omnipresent
- key rrsig: omnipresentreloading
Reloading the zone shows (in debug-level 3) the following messages:
30-Nov-2021 10:05:26.927 general: info: received control channel command 'reload example.ch'
30-Nov-2021 10:05:26.927 zoneload: debug 1: zone example.ch/IN (unsigned): skipping load: master file older than last loadrestarting
The key-files are existing (before and after restart)
$ ls -lahF
total 340K
drwxr-xr-x. 2 named named 4.0K 30. Nov 09:59 ./
drwxr-xr-x. 7 named named 308K 29. Nov 16:31 ../
-rw-r--r--. 1 named named 443 30. Nov 10:10 Kexample.ch.+013+54591.key
-rw-------. 1 named named 235 30. Nov 10:10 Kexample.ch.+013+54591.private
-rw-r--r--. 1 named named 541 30. Nov 10:10 Kexample.ch.+013+54591.state
-rw-r--r--. 1 named named 388 30. Nov 10:10 Kexample.ch.+013+56340.key
-rw-------. 1 named named 241 30. Nov 10:10 Kexample.ch.+013+56340.private
-rw-r--r--. 1 named named 675 30. Nov 10:10 Kexample.ch.+013+56340.state# ZSK
$ cat Kexample.ch.+013+54591.key Kexample.ch.+013+54591.state
; This is a zone-signing key, keyid 54591, for example.ch.
; Created: 20211130085900 (Tue Nov 30 09:59:00 2021)
; Publish: 20211130085900 (Tue Nov 30 09:59:00 2021)
; Activate: 20211130085900 (Tue Nov 30 09:59:00 2021)
; Inactive: 20211207085900 (Tue Dec 7 09:59:00 2021)
; Delete: 20211217100400 (Fri Dec 17 11:04:00 2021)
example.ch. 3600 IN DNSKEY 256 3 13 yzEu6qim1W01nMHAPGhB8nXM2Qb+PTJH0c5+muyy1QjVy4+dldge0Tw6 H0rckR/sNyQOAPzpsChOqqHZhSF32w==
; This is the state of key 54591, for example.ch.
Algorithm: 13
Length: 256
Lifetime: 604800
KSK: no
ZSK: yes
Generated: 20211130085900 (Tue Nov 30 09:59:00 2021)
Published: 20211130085900 (Tue Nov 30 09:59:00 2021)
Active: 20211130085900 (Tue Nov 30 09:59:00 2021)
Retired: 20211207085900 (Tue Dec 7 09:59:00 2021)
Removed: 20211217100400 (Fri Dec 17 11:04:00 2021)
DNSKEYChange: 20211130085900 (Tue Nov 30 09:59:00 2021)
ZRRSIGChange: 20211130085900 (Tue Nov 30 09:59:00 2021)
DNSKEYState: rumoured
ZRRSIGState: hidden
GoalState: omnipresent
# KSK
$ cat Kexample.ch.+013+56340.key Kexample.ch.+013+56340.state
; This is a key-signing key, keyid 56340, for example.ch.
; Created: 20211129195422 (Mon Nov 29 20:54:22 2021)
; Publish: 20211129195422 (Mon Nov 29 20:54:22 2021)
; Activate: 20211129195422 (Mon Nov 29 20:54:22 2021)
; SyncPublish: 20211129195422 (Mon Nov 29 20:54:22 2021)
example.ch. IN DNSKEY 257 3 13 f2m47DhSRftPS7dbCw8u/C2Gnek3XJyf+FpD1gJg1dl2ZXpVVtx7RsJS ML1bq3WHrWz2IRQvW/0rsvB1f3z2WQ==
; This is the state of key 56340, for example.ch.
Algorithm: 13
Length: 256
Lifetime: 0
KSK: yes
ZSK: no
Generated: 20211129195422 (Mon Nov 29 20:54:22 2021)
Published: 20211129195422 (Mon Nov 29 20:54:22 2021)
Active: 20211129195422 (Mon Nov 29 20:54:22 2021)
DSPublish: 20211129195759 (Mon Nov 29 20:57:59 2021)
DSRemoved: 20211129195739 (Mon Nov 29 20:57:39 2021)
PublishCDS: 20211129195422 (Mon Nov 29 20:54:22 2021)
DNSKEYChange: 20211129205955 (Mon Nov 29 21:59:55 2021)
KRRSIGChange: 20211129205955 (Mon Nov 29 21:59:55 2021)
DSChange: 20211129225759 (Mon Nov 29 23:57:59 2021)
DNSKEYState: omnipresent
KRRSIGState: omnipresent
DSState: omnipresent
GoalState: omnipresentDoing the restart shows the following output:
30-Nov-2021 10:07:04.657 general: debug 1: zone_dump: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.657 general: debug 1: zone_gotwritehandle: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.659 general: debug 3: zone_shutdown: zone example.ch/IN (signed): shutting down
30-Nov-2021 10:07:04.664 general: debug 3: zone_shutdown: zone example.ch/IN (unsigned): shutting down
30-Nov-2021 10:07:04.664 database: debug 1: calling free_rbtdb(example.ch)
30-Nov-2021 10:07:04.664 database: debug 1: done free_rbtdb(example.ch)
30-Nov-2021 10:07:04.665 general: debug 1: dump_done: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.665 general: debug 1: zone_journal_compact: zone example.ch/IN (signed): target journal size 2358
30-Nov-2021 10:07:04.665 general: debug 3: zone example.ch/IN (signed): dns_journal_compact: success
30-Nov-2021 10:07:04.669 database: debug 1: calling free_rbtdb(example.ch)
30-Nov-2021 10:07:04.669 database: debug 1: done free_rbtdb(example.ch)
30-Nov-2021 10:07:04.743 general: debug 1: zone_timer: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.743 general: debug 1: zone_maintenance: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.745 zoneload: debug 1: zone example.ch/IN (unsigned): starting load
30-Nov-2021 10:07:04.745 general: debug 1: zone_startload: zone example.ch/IN (unsigned): enter
30-Nov-2021 10:07:04.746 zoneload: debug 2: zone example.ch/IN (unsigned): number of nodes in database: 1
30-Nov-2021 10:07:04.746 zoneload: debug 1: zone example.ch/IN (unsigned): journal empty
30-Nov-2021 10:07:04.746 zoneload: debug 1: zone example.ch/IN (unsigned): loaded; checking validity
30-Nov-2021 10:07:04.746 general: debug 1: dns_zone_verifydb: zone example.ch/IN (unsigned): enter
30-Nov-2021 10:07:04.746 general: debug 1: zone_settimer: zone example.ch/IN (unsigned): enter
30-Nov-2021 10:07:04.746 zoneload: info: zone example.ch/IN (unsigned): loaded serial 2021113001
30-Nov-2021 10:07:04.746 zoneload: debug 1: zone example.ch/IN (signed): starting load
30-Nov-2021 10:07:04.746 general: debug 1: zone_startload: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.746 zoneload: debug 2: zone example.ch/IN (signed): number of nodes in database: 1
30-Nov-2021 10:07:04.746 zoneload: debug 1: zone example.ch/IN (signed): journal rollforward completed successfully: up to date
30-Nov-2021 10:07:04.746 zoneload: debug 1: zone example.ch/IN (signed): loaded; checking validity
30-Nov-2021 10:07:04.746 general: debug 1: dns_zone_verifydb: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.746 general: debug 1: zone_settimer: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.746 general: debug 1: zone_settimer: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.746 zoneload: info: zone example.ch/IN (signed): loaded serial 2021113003
30-Nov-2021 10:07:04.758 general: debug 1: dns_zone_maintenance: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.758 general: debug 1: zone_settimer: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.758 general: debug 1: dns_zone_maintenance: zone example.ch/IN (unsigned): enter
30-Nov-2021 10:07:04.758 general: debug 1: zone_settimer: zone example.ch/IN (unsigned): enter
30-Nov-2021 10:07:04.761 general: debug 1: setnsec3param: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.761 general: debug 1: rss_post: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.761 general: debug 1: receive_secure_serial: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.764 general: error: zone example.ch/IN (signed): found no active private keys, unable to generate any signatures
30-Nov-2021 10:07:04.764 general: debug 1: zone_journal: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.769 general: debug 1: zone_needdump: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.769 general: debug 1: zone_settimer: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.769 general: debug 1: zone_settimer: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.770 general: debug 1: zone_timer: zone example.ch/IN (unsigned): enter
30-Nov-2021 10:07:04.770 general: debug 1: zone_maintenance: zone example.ch/IN (unsigned): enter
30-Nov-2021 10:07:04.770 general: debug 1: zone_settimer: zone example.ch/IN (unsigned): enter
30-Nov-2021 10:07:04.771 general: debug 1: zone_timer: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.771 general: debug 1: zone_maintenance: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.771 notify: info: zone example.ch/IN (signed): sending notifies (serial 2021113004)
30-Nov-2021 10:07:04.771 dnssec: info: zone example.ch/IN (signed): reconfiguring zone keys
30-Nov-2021 10:07:04.777 dnssec: debug 1: keymgr: keyring: example.ch/ECDSAP256SHA256/54591 (policy thewaytogo-faster)
30-Nov-2021 10:07:04.777 dnssec: debug 1: keymgr: keyring: example.ch/ECDSAP256SHA256/56340 (policy thewaytogo-faster)
30-Nov-2021 10:07:04.777 dnssec: debug 1: keymgr: dnskeys: example.ch/ECDSAP256SHA256/54591 (policy thewaytogo-faster)
30-Nov-2021 10:07:04.777 dnssec: debug 1: keymgr: dnskeys: example.ch/ECDSAP256SHA256/56340 (policy thewaytogo-faster)
30-Nov-2021 10:07:04.777 dnssec: debug 1: keymgr: DNSKEY example.ch/ECDSAP256SHA256/56340 (KSK) matches policy thewaytogo-faster
30-Nov-2021 10:07:04.778 dnssec: debug 1: keymgr: DNSKEY example.ch/ECDSAP256SHA256/56340 (KSK) is active in policy thewaytogo-faster
30-Nov-2021 10:07:04.778 dnssec: debug 1: keymgr: new successor needed for DNSKEY example.ch/ECDSAP256SHA256/56340 (KSK) (policy thewaytogo-faster) in 2656704072 seconds
30-Nov-2021 10:07:04.778 dnssec: debug 1: keymgr: DNSKEY example.ch/ECDSAP256SHA256/54591 (ZSK) matches policy thewaytogo-faster
30-Nov-2021 10:07:04.778 dnssec: debug 1: keymgr: DNSKEY example.ch/ECDSAP256SHA256/54591 (ZSK) is active in policy thewaytogo-faster
30-Nov-2021 10:07:04.778 dnssec: debug 1: keymgr: new successor needed for DNSKEY example.ch/ECDSAP256SHA256/54591 (ZSK) (policy thewaytogo-faster) in 596816 seconds
30-Nov-2021 10:07:04.778 dnssec: debug 1: keymgr: examine ZSK example.ch/ECDSAP256SHA256/54591 type DNSKEY in state RUMOURED
30-Nov-2021 10:07:04.778 dnssec: debug 1: keymgr: can we transition ZSK example.ch/ECDSAP256SHA256/54591 type DNSKEY state RUMOURED to state OMNIPRESENT?
30-Nov-2021 10:07:04.778 dnssec: debug 1: keymgr: dnssec evaluation of ZSK example.ch/ECDSAP256SHA256/54591 record DNSKEY: rule1=(~true or true) rule2=(~true or true) rule3=(~false or false)
30-Nov-2021 10:07:04.778 dnssec: debug 1: keymgr: time says no to ZSK example.ch/ECDSAP256SHA256/54591 type DNSKEY state RUMOURED to state OMNIPRESENT (wait 7016 seconds)
30-Nov-2021 10:07:04.778 dnssec: debug 1: keymgr: examine ZSK example.ch/ECDSAP256SHA256/54591 type ZRRSIG in state HIDDEN
30-Nov-2021 10:07:04.778 dnssec: debug 1: keymgr: can we transition ZSK example.ch/ECDSAP256SHA256/54591 type ZRRSIG state HIDDEN to state RUMOURED?
30-Nov-2021 10:07:04.779 dnssec: debug 1: keymgr: policy says no to ZSK example.ch/ECDSAP256SHA256/54591 type ZRRSIG state HIDDEN to state RUMOURED
30-Nov-2021 10:07:04.779 dnssec: debug 1: keymgr: examine KSK example.ch/ECDSAP256SHA256/56340 type DNSKEY in state OMNIPRESENT
30-Nov-2021 10:07:04.779 dnssec: debug 1: keymgr: KSK example.ch/ECDSAP256SHA256/56340 type DNSKEY in stable state OMNIPRESENT
30-Nov-2021 10:07:04.779 dnssec: debug 1: keymgr: examine KSK example.ch/ECDSAP256SHA256/56340 type KRRSIG in state OMNIPRESENT
30-Nov-2021 10:07:04.779 dnssec: debug 1: keymgr: KSK example.ch/ECDSAP256SHA256/56340 type KRRSIG in stable state OMNIPRESENT
30-Nov-2021 10:07:04.779 dnssec: debug 1: keymgr: examine KSK example.ch/ECDSAP256SHA256/56340 type DS in state OMNIPRESENT
30-Nov-2021 10:07:04.779 dnssec: debug 1: keymgr: KSK example.ch/ECDSAP256SHA256/56340 type DS in stable state OMNIPRESENT
30-Nov-2021 10:07:04.780 general: info: CDS for key example.ch/ECDSAP256SHA256/56340 is now published
30-Nov-2021 10:07:04.780 general: info: CDNSKEY for key example.ch/ECDSAP256SHA256/56340 is now published
30-Nov-2021 10:07:04.782 general: debug 1: zone_journal: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.784 general: debug 1: zone_needdump: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.784 general: debug 1: zone_settimer: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.784 general: debug 1: zone_settimer: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.785 general: debug 1: zone_settimer: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.785 dnssec: debug 3: zone example.ch/IN (signed): next key event in 7016 seconds
30-Nov-2021 10:07:04.785 dnssec: info: zone example.ch/IN (signed): next key event: 30-Nov-2021 12:04:00.771
30-Nov-2021 10:07:04.785 dnssec: debug 3: zone example.ch/IN (signed): zone_rekey done: key 54591/ECDSAP256SHA256
30-Nov-2021 10:07:04.785 dnssec: debug 3: zone example.ch/IN (signed): zone_rekey done: key 56340/ECDSAP256SHA256
30-Nov-2021 10:07:04.785 general: debug 1: zone_sign: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:04.787 dnssec: debug 3: zone example.ch/IN (signed): zone_sign:use kasp -> yes
30-Nov-2021 10:07:04.787 general: debug 1: zone_settimer: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:09.771 general: debug 1: zone_timer: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:09.771 general: debug 1: zone_maintenance: zone example.ch/IN (signed): enter
30-Nov-2021 10:07:09.771 notify: info: zone example.ch/IN (signed): sending notifies (serial 2021113005)
30-Nov-2021 10:07:09.771 general: debug 1: zone_settimer: zone example.ch/IN (signed): enterrndc sign example.ch
30-Nov-2021 10:10:56.477 general: info: received control channel command 'sign example.ch'
30-Nov-2021 10:10:56.478 general: debug 1: zone_settimer: zone example.ch/IN (signed): enter
30-Nov-2021 10:10:56.478 general: debug 1: zone_timer: zone example.ch/IN (signed): enter
30-Nov-2021 10:10:56.478 general: debug 1: zone_maintenance: zone example.ch/IN (signed): enter
30-Nov-2021 10:10:56.478 dnssec: info: zone example.ch/IN (signed): reconfiguring zone keys
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: keyring: example.ch/ECDSAP256SHA256/54591 (policy thewaytogo-faster)
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: keyring: example.ch/ECDSAP256SHA256/56340 (policy thewaytogo-faster)
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: dnskeys: example.ch/ECDSAP256SHA256/54591 (policy thewaytogo-faster)
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: dnskeys: example.ch/ECDSAP256SHA256/56340 (policy thewaytogo-faster)
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: DNSKEY example.ch/ECDSAP256SHA256/56340 (KSK) matches policy thewaytogo-faster
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: DNSKEY example.ch/ECDSAP256SHA256/56340 (KSK) is active in policy thewaytogo-faster
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: new successor needed for DNSKEY example.ch/ECDSAP256SHA256/56340 (KSK) (policy thewaytogo-faster) in 2656703840 seconds
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: DNSKEY example.ch/ECDSAP256SHA256/54591 (ZSK) matches policy thewaytogo-faster
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: DNSKEY example.ch/ECDSAP256SHA256/54591 (ZSK) is active in policy thewaytogo-faster
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: new successor needed for DNSKEY example.ch/ECDSAP256SHA256/54591 (ZSK) (policy thewaytogo-faster) in 596584 seconds
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: examine ZSK example.ch/ECDSAP256SHA256/54591 type DNSKEY in state RUMOURED
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: can we transition ZSK example.ch/ECDSAP256SHA256/54591 type DNSKEY state RUMOURED to state OMNIPRESENT?
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: dnssec evaluation of ZSK example.ch/ECDSAP256SHA256/54591 record DNSKEY: rule1=(~true or true) rule2=(~true or true) rule3=(~false or false)
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: time says no to ZSK example.ch/ECDSAP256SHA256/54591 type DNSKEY state RUMOURED to state OMNIPRESENT (wait 6784 seconds)
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: examine ZSK example.ch/ECDSAP256SHA256/54591 type ZRRSIG in state HIDDEN
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: can we transition ZSK example.ch/ECDSAP256SHA256/54591 type ZRRSIG state HIDDEN to state RUMOURED?
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: policy says no to ZSK example.ch/ECDSAP256SHA256/54591 type ZRRSIG state HIDDEN to state RUMOURED
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: examine KSK example.ch/ECDSAP256SHA256/56340 type DNSKEY in state OMNIPRESENT
30-Nov-2021 10:10:56.483 dnssec: debug 1: keymgr: KSK example.ch/ECDSAP256SHA256/56340 type DNSKEY in stable state OMNIPRESENT
30-Nov-2021 10:10:56.484 dnssec: debug 1: keymgr: examine KSK example.ch/ECDSAP256SHA256/56340 type KRRSIG in state OMNIPRESENT
30-Nov-2021 10:10:56.484 dnssec: debug 1: keymgr: KSK example.ch/ECDSAP256SHA256/56340 type KRRSIG in stable state OMNIPRESENT
30-Nov-2021 10:10:56.484 dnssec: debug 1: keymgr: examine KSK example.ch/ECDSAP256SHA256/56340 type DS in state OMNIPRESENT
30-Nov-2021 10:10:56.484 dnssec: debug 1: keymgr: KSK example.ch/ECDSAP256SHA256/56340 type DS in stable state OMNIPRESENT
30-Nov-2021 10:10:56.487 general: warning: zone example.ch/IN (signed): Key example.ch/ECDSAP256SHA256/56340 missing or inactive and has no replacement: retaining signatures.
30-Nov-2021 10:10:56.487 general: debug 1: zone_journal: zone example.ch/IN (signed): enter
30-Nov-2021 10:10:56.490 general: debug 1: zone_needdump: zone example.ch/IN (signed): enter
30-Nov-2021 10:10:56.490 general: debug 1: zone_settimer: zone example.ch/IN (signed): enter
30-Nov-2021 10:10:56.490 general: debug 1: zone_settimer: zone example.ch/IN (signed): enter
30-Nov-2021 10:10:56.490 general: debug 1: zone_settimer: zone example.ch/IN (signed): enter
30-Nov-2021 10:10:56.490 general: debug 1: zone_settimer: zone example.ch/IN (signed): enter
30-Nov-2021 10:10:56.490 dnssec: debug 3: zone example.ch/IN (signed): next key event in 6784 seconds
30-Nov-2021 10:10:56.490 dnssec: info: zone example.ch/IN (signed): next key event: 30-Nov-2021 12:04:00.478
30-Nov-2021 10:10:56.491 dnssec: debug 3: zone example.ch/IN (signed): zone_rekey done: key 54591/ECDSAP256SHA256
30-Nov-2021 10:10:56.491 dnssec: debug 3: zone example.ch/IN (signed): zone_rekey done: key 56340/ECDSAP256SHA256
30-Nov-2021 10:10:56.491 general: debug 1: zone_settimer: zone example.ch/IN (signed): enter
30-Nov-2021 10:10:56.491 general: debug 1: zone_timer: zone example.ch/IN (signed): enter
30-Nov-2021 10:10:56.491 general: debug 1: zone_maintenance: zone example.ch/IN (signed): enter
30-Nov-2021 10:10:56.491 general: debug 1: zone_sign: zone example.ch/IN (signed): enter
30-Nov-2021 10:10:56.493 dnssec: debug 3: zone example.ch/IN (signed): zone_sign:use kasp -> yes
30-Nov-2021 10:10:56.493 general: debug 1: zone_settimer: zone example.ch/IN (signed): enterWhat is the expected correct behavior?
Signed zone
Relevant configuration files
# zone configuration
zone "example.ch" {
type master;
file "master/example.ch.hosts";
dnssec-policy thewaytogo-faster;
parental-agents { "ch"; };
key-directory "/etc/named/keys/example.ch";
};# dnssec-policy
dnssec-policy "thewaytogo-faster" {
// Signatures
signatures-refresh 5d;
signatures-validity 14d;
signatures-validity-dnskey 14d;
// Keys
dnskey-ttl 3600s;
publish-safety 1h;
retire-safety 1h;
purge-keys 30d;
keys {
ksk lifetime unlimited algorithm ecdsap256sha256;
zsk lifetime 7d algorithm ecdsap256sha256;
};
// Zone properties
zone-propagation-delay 300s;
max-zone-ttl 86400s;
// Parent properties
parent-propagation-delay 1h;
parent-ds-ttl 3600;
};