Skip to content

CDS is stuck on an old key.

Summary

The zone rombobeorn.se seems to be stuck in a CSK rollover that never gets finished. The CDS record still specifies the old key. Thus the parent zone doesn't update DS. Thus the old DNSKEY record can't be removed.

BIND version used

# named -V
BIND 9.18.19-1~deb12u1-Debian (Extended Support Version) <id:>
running on Linux x86_64 5.10.0-26-amd64 #1 SMP Debian 5.10.197-1 (2023-09-29)
built by make with  '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--disable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=yes' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -ffile-prefix-map=/build/reproducible-path/bind9-9.18.19=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 12.2.0
compiled with OpenSSL version: OpenSSL 3.0.10 1 Aug 2023
linked to OpenSSL version: OpenSSL 3.0.11 19 Sep 2023
compiled with libuv version: 1.44.2
linked to libuv version: 1.44.2
compiled with libnghttp2 version: 1.52.0
linked to libnghttp2 version: 1.52.0
compiled with libxml2 version: 2.9.14
linked to libxml2 version: 20914
compiled with json-c version: 0.16
linked to json-c version: 0.16
compiled with zlib version: 1.2.13
linked to zlib version: 1.2.13
linked to maxminddb version: 1.7.1
compiled with protobuf-c version: 1.4.1
linked to protobuf-c version: 1.4.1
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): yes

default paths:
  named configuration:  /etc/bind/named.conf
  rndc configuration:   /etc/bind/rndc.conf
  DNSSEC root key:      /etc/bind/bind.keys
  nsupdate session key: //run/named/session.key
  named PID file:       //run/named/named.pid
  named lock file:      //run/named/named.lock
  geoip-directory:      /usr/share/GeoIP

Steps to reproduce

This zone has successfully replaced one CSK with another before. This was the DNSsec policy at the time:

dnssec-policy "automatik" {
    keys {
        csk lifetime P1M algorithm rsasha256 2048;
    };
};

In an attempt to decrease the time the zone spends with dual keys, I changed the policy to this:

dnssec-policy "automatik" {
    keys {
        csk lifetime P1M algorithm rsasha256 2048;
    };
    dnskey-ttl          P1D;
    max-zone-ttl        P1D;
    signatures-validity P1W;
    signatures-refresh  P2D;
};

What is the current bug behavior?

On 2023-11-20 it was time for another rollover. CSK 58364 was generated and published in a second DNSKEY record. The DNSKEY, CDS and CDNSKEY records were signed with both the old and the new key. Other records had their signatures replaced gradually. Since 2023-12-01 all the records except DNSKEY, CDS and CDNSKEY have signatures only by the new key. Yet CDS and CDNSKEY still show the old key, 44674. You can check it yourself:

$ dig +short CDS rombobeorn.se
44674 8 2 DC0A35038C492439E044C0A109A62A7447427B606104613D7BA4B32D 2EDAC3FB

On 2023-12-02 it was time to renew the signatures for DNSKEY, CDS and CDNSKEY. They were again signed with both keys. There are still dual DNSKEY records.

Validation still succeeds, presumably because the new key is signed with the old key. Bind seems to understand that it can't remove the old key yet, but it's not publishing a CDS record for the new key.

What is the expected correct behavior?

If the policy I have configured is wrong somehow, then it should have been rejected with an informative error message. Otherwise the CDS record (and CDNSKEY) should have been changed to 58364 by now.

Relevant configuration files

options {
	directory "/var/cache/bind";
	dnssec-validation auto;
	key-directory "/var/lib/bind";
	listen-on-v6 { any; };
};

dnssec-policy "som_det_var" {
    keys {
        ksk lifetime unlimited algorithm rsasha256 2048;
        zsk lifetime unlimited algorithm rsasha256 2048;
    };
    dnskey-ttl P1D;
    purge-keys 0;
};

dnssec-policy "automatik" {
    keys {
        csk lifetime P1M algorithm rsasha256 2048;
    };
    dnskey-ttl          P1D;
    max-zone-ttl        P1D;
    signatures-validity P1W;
    signatures-refresh  P2D;
};

view "internal" {

    match-clients { [omitted] };

    recursion yes;
    allow-recursion { [omitted] };

    allow-transfer { [omitted] };
    notify no;

    include "/etc/bind/named.conf.default-zones";
    include "/etc/bind/zones.rfc1918";

    zone "xn--rombobjrn-67a.se" {
        type master;
        file "/var/lib/bind/db.xn--rombobjrn-67a.se.internal";
        dnssec-policy automatik;
        parental-agents { ::1; };
        inline-signing no;
        update-policy { [omitted] };
    };

    zone "rombobeorn.se" {
        type master;
        file "/var/lib/bind/db.rombobeorn.se.internal";
        dnssec-policy automatik;
        parental-agents { ::1; };
        inline-signing no;
        update-policy { [omitted] };
    };

    zone "168.192.in-addr.arpa" {
        type master;
        file "/var/lib/bind/db.168.192";
        update-policy { [omitted] };
    };

};

view "external" {

    match-clients {
        any;
    };

    recursion no;

    allow-transfer { [omitted] };
    also-notify { [omitted] };
    notify explicit;

    rate-limit {
        responses-per-second 4;
        slip 2;
    };

    zone "xn--rombobjrn-67a.se" {
        type master;
        file "/var/lib/bind/db.xn--rombobjrn-67a.se.external";
        dnssec-policy automatik;
        parental-agents { ::1; };
        inline-signing no;
        update-policy { [omitted] };
    };

    zone "rombobeorn.se" {
        type master;
        file "/var/lib/bind/db.rombobeorn.se.external";
        dnssec-policy automatik;
        parental-agents { ::1; };
        inline-signing no;
        update-policy { [omitted] };
    };

};

Relevant logs and/or screenshots

As a baseline, these messages about two previously retired keys were repeated every hour:

2023-11-20T04:05:53.076358+01:00 cutie named[443161]: zone rombobeorn.se/IN/internal: reconfiguring zone keys
2023-11-20T04:05:53.105296+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/50640 (ZSK)
2023-11-20T04:05:53.105790+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/48019 (KSK)
2023-11-20T04:05:53.109375+01:00 cutie named[443161]: zone rombobeorn.se/IN/internal: next key event: 20-Nov-2023 05:04:58.070
2023-11-20T04:05:53.206927+01:00 cutie named[443161]: zone rombobeorn.se/IN/external: reconfiguring zone keys
2023-11-20T04:05:53.237195+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/50640 (ZSK)
2023-11-20T04:05:53.237622+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/48019 (KSK)
2023-11-20T04:05:53.241190+01:00 cutie named[443161]: zone rombobeorn.se/IN/external: next key event: 20-Nov-2023 05:04:58.202

Then the new key was generated, and a message about that key was added to the hourly repeats:

2023-11-20T05:04:58.076407+01:00 cutie named[443161]: zone rombobeorn.se/IN/internal: reconfiguring zone keys
2023-11-20T05:04:58.105335+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/50640 (ZSK)
2023-11-20T05:04:58.105847+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/48019 (KSK)
2023-11-20T05:05:02.049479+01:00 cutie named[443161]: keymgr: DNSKEY rombobeorn.se/RSASHA256/58364 (CSK) created for policy automatik
2023-11-20T05:05:02.057591+01:00 cutie named[443161]: Fetching rombobeorn.se/RSASHA256/58364 (CSK) from key repository.
2023-11-20T05:05:02.058067+01:00 cutie named[443161]: DNSKEY rombobeorn.se/RSASHA256/58364 (CSK) is now published
2023-11-20T05:05:02.136470+01:00 cutie named[443161]: zone rombobeorn.se/IN/internal: next key event: 20-Nov-2023 06:04:58.070
2023-11-20T05:05:02.137062+01:00 cutie named[443161]: zone rombobeorn.se/IN/external: reconfiguring zone keys
2023-11-20T05:05:02.160374+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/50640 (ZSK)
2023-11-20T05:05:02.160830+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/48019 (KSK)
2023-11-20T05:05:02.163720+01:00 cutie named[443161]: Fetching rombobeorn.se/RSASHA256/58364 (CSK) from key repository.
2023-11-20T05:05:02.164031+01:00 cutie named[443161]: DNSKEY rombobeorn.se/RSASHA256/58364 (CSK) is now published
2023-11-20T05:05:02.242215+01:00 cutie named[443161]: zone rombobeorn.se/IN/external: next key event: 20-Nov-2023 06:05:02.134
2023-11-20T06:04:58.076558+01:00 cutie named[443161]: zone rombobeorn.se/IN/internal: reconfiguring zone keys
2023-11-20T06:04:58.118725+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/50640 (ZSK)
2023-11-20T06:04:58.119254+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/48019 (KSK)
2023-11-20T06:04:58.123463+01:00 cutie named[443161]: DNSKEY rombobeorn.se/RSASHA256/58364 (CSK) is now inactive
2023-11-20T06:04:58.125009+01:00 cutie named[443161]: zone rombobeorn.se/IN/internal: next key event: 20-Nov-2023 07:04:58.072
2023-11-20T06:05:02.140288+01:00 cutie named[443161]: zone rombobeorn.se/IN/external: reconfiguring zone keys
2023-11-20T06:05:02.183496+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/50640 (ZSK)
2023-11-20T06:05:02.183962+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/48019 (KSK)
2023-11-20T06:05:02.188257+01:00 cutie named[443161]: DNSKEY rombobeorn.se/RSASHA256/58364 (CSK) is now inactive
2023-11-20T06:05:02.189804+01:00 cutie named[443161]: zone rombobeorn.se/IN/external: next key event: 20-Nov-2023 07:05:02.136

25 hours later the messages started appearing every ten minutes, claiming falsely that CDS and CDNSKEY had been updated:

2023-11-21T06:09:58.116346+01:00 cutie named[443161]: zone rombobeorn.se/IN/internal: reconfiguring zone keys
2023-11-21T06:09:58.158703+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/50640 (ZSK)
2023-11-21T06:09:58.159244+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/48019 (KSK)
2023-11-21T06:09:58.171210+01:00 cutie named[443161]: CDS for key rombobeorn.se/RSASHA256/58364 is now published
2023-11-21T06:09:58.171736+01:00 cutie named[443161]: CDNSKEY for key rombobeorn.se/RSASHA256/58364 is now published
2023-11-21T06:09:58.178814+01:00 cutie named[443161]: zone rombobeorn.se/IN/external: reconfiguring zone keys
2023-11-21T06:09:58.219756+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/50640 (ZSK)
2023-11-21T06:09:58.222083+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/48019 (KSK)
2023-11-21T06:09:58.223643+01:00 cutie named[443161]: CDS for key rombobeorn.se/RSASHA256/58364 is now published
2023-11-21T06:09:58.223970+01:00 cutie named[443161]: CDNSKEY for key rombobeorn.se/RSASHA256/58364 is now published
2023-11-21T06:19:58.172402+01:00 cutie named[443161]: zone rombobeorn.se/IN/internal: reconfiguring zone keys
2023-11-21T06:19:58.214907+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/50640 (ZSK)
2023-11-21T06:19:58.215409+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/48019 (KSK)
2023-11-21T06:19:58.220135+01:00 cutie named[443161]: CDS for key rombobeorn.se/RSASHA256/58364 is now published
2023-11-21T06:19:58.220718+01:00 cutie named[443161]: CDNSKEY for key rombobeorn.se/RSASHA256/58364 is now published
2023-11-21T06:19:58.222976+01:00 cutie named[443161]: zone rombobeorn.se/IN/external: reconfiguring zone keys
2023-11-21T06:19:58.261817+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/50640 (ZSK)
2023-11-21T06:19:58.262297+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/48019 (KSK)
2023-11-21T06:19:58.265388+01:00 cutie named[443161]: CDS for key rombobeorn.se/RSASHA256/58364 is now published
2023-11-21T06:19:58.265739+01:00 cutie named[443161]: CDNSKEY for key rombobeorn.se/RSASHA256/58364 is now published

After another six days a message about the old key was added:

2023-11-27T07:24:01.188353+01:00 cutie named[443161]: zone rombobeorn.se/IN/internal: reconfiguring zone keys
2023-11-27T07:24:01.231048+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/50640 (ZSK)
2023-11-27T07:24:01.231673+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/48019 (KSK)
2023-11-27T07:24:01.249383+01:00 cutie named[443161]: DNSKEY rombobeorn.se/RSASHA256/44674 (CSK) is now inactive
2023-11-27T07:24:01.250501+01:00 cutie named[443161]: CDS for key rombobeorn.se/RSASHA256/58364 is now published
2023-11-27T07:24:01.250919+01:00 cutie named[443161]: CDNSKEY for key rombobeorn.se/RSASHA256/58364 is now published
2023-11-27T07:24:01.253391+01:00 cutie named[443161]: zone rombobeorn.se/IN/external: reconfiguring zone keys
2023-11-27T07:24:01.287956+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/50640 (ZSK)
2023-11-27T07:24:01.288376+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/48019 (KSK)
2023-11-27T07:24:01.290787+01:00 cutie named[443161]: DNSKEY rombobeorn.se/RSASHA256/44674 (CSK) is now inactive
2023-11-27T07:24:01.291398+01:00 cutie named[443161]: CDS for key rombobeorn.se/RSASHA256/58364 is now published
2023-11-27T07:24:01.291732+01:00 cutie named[443161]: CDNSKEY for key rombobeorn.se/RSASHA256/58364 is now published
2023-11-27T07:34:01.256339+01:00 cutie named[443161]: zone rombobeorn.se/IN/internal: reconfiguring zone keys
2023-11-27T07:34:01.299042+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/50640 (ZSK)
2023-11-27T07:34:01.299657+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/48019 (KSK)
2023-11-27T07:34:01.303256+01:00 cutie named[443161]: DNSKEY rombobeorn.se/RSASHA256/44674 (CSK) is now inactive
2023-11-27T07:34:01.304268+01:00 cutie named[443161]: CDS for key rombobeorn.se/RSASHA256/58364 is now published
2023-11-27T07:34:01.304659+01:00 cutie named[443161]: CDNSKEY for key rombobeorn.se/RSASHA256/58364 is now published
2023-11-27T07:34:01.307121+01:00 cutie named[443161]: zone rombobeorn.se/IN/external: reconfiguring zone keys
2023-11-27T07:34:01.346113+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/50640 (ZSK)
2023-11-27T07:34:01.346504+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/48019 (KSK)
2023-11-27T07:34:01.348830+01:00 cutie named[443161]: DNSKEY rombobeorn.se/RSASHA256/44674 (CSK) is now inactive
2023-11-27T07:34:01.349518+01:00 cutie named[443161]: CDS for key rombobeorn.se/RSASHA256/58364 is now published
2023-11-27T07:34:01.349707+01:00 cutie named[443161]: CDNSKEY for key rombobeorn.se/RSASHA256/58364 is now published

Those messages are still being repeated every ten minutes, and that "inactive" key is still current according to CDS.

Here's what the key states were right after the new key was generated at 2023-11-20 05:05:

; This is the state of key 44674, for rombobeorn.se.
Algorithm: 8
Length: 2048
Lifetime: 2678400
Predecessor: 26869
Successor: 58364
KSK: yes
ZSK: yes
Generated: 20231020040458 (Fri Oct 20 06:04:58 2023)
Published: 20231020040458 (Fri Oct 20 06:04:58 2023)
Active: 20231020060958 (Fri Oct 20 08:09:58 2023)
Retired: 20231120060958 (Mon Nov 20 07:09:58 2023)
Removed: 20231126071458 (Sun Nov 26 08:14:58 2023)
DSPublish: 20231020160958 (Fri Oct 20 18:09:58 2023)
PublishCDS: 20231020060958 (Fri Oct 20 08:09:58 2023)
DSPubCount: 1
DNSKEYChange: 20231020060958 (Fri Oct 20 08:09:58 2023)
ZRRSIGChange: 20231030071458 (Mon Oct 30 08:14:58 2023)
KRRSIGChange: 20231020060958 (Fri Oct 20 08:09:58 2023)
DSChange: 20231021180958 (Sat Oct 21 20:09:58 2023)
DNSKEYState: omnipresent
ZRRSIGState: omnipresent
KRRSIGState: omnipresent
DSState: omnipresent
GoalState: hidden
; This is the state of key 58364, for rombobeorn.se.
Algorithm: 8
Length: 2048
Lifetime: 2678400
Predecessor: 44674
KSK: yes
ZSK: yes
Generated: 20231120040458 (Mon Nov 20 05:04:58 2023)
Published: 20231120040458 (Mon Nov 20 05:04:58 2023)
Active: 20231120060958 (Mon Nov 20 07:09:58 2023)
Retired: 20231221060958 (Thu Dec 21 07:09:58 2023)
Removed: 20231227071458 (Wed Dec 27 08:14:58 2023)
PublishCDS: 20231121050958 (Tue Nov 21 06:09:58 2023)
DNSKEYChange: 20231120040458 (Mon Nov 20 05:04:58 2023)
ZRRSIGChange: 20231120040458 (Mon Nov 20 05:04:58 2023)
KRRSIGChange: 20231120040458 (Mon Nov 20 05:04:58 2023)
DSChange: 20231120040458 (Mon Nov 20 05:04:58 2023)
DNSKEYState: rumoured
ZRRSIGState: hidden
KRRSIGState: rumoured
DSState: hidden
GoalState: omnipresent

At 2023-11-21 06:09 the new key's state looked like this:

; This is the state of key 58364, for rombobeorn.se.
Algorithm: 8
Length: 2048
Lifetime: 2678400
Predecessor: 44674
KSK: yes
ZSK: yes
Generated: 20231120040458 (Mon Nov 20 05:04:58 2023)
Published: 20231120040458 (Mon Nov 20 05:04:58 2023)
Active: 20231120060958 (Mon Nov 20 07:09:58 2023)
Retired: 20231221060958 (Thu Dec 21 07:09:58 2023)
Removed: 20231227071458 (Wed Dec 27 08:14:58 2023)
PublishCDS: 20231121050958 (Tue Nov 21 06:09:58 2023)
DNSKEYChange: 20231121050958 (Tue Nov 21 06:09:58 2023)
ZRRSIGChange: 20231121050958 (Tue Nov 21 06:09:58 2023)
KRRSIGChange: 20231121050958 (Tue Nov 21 06:09:58 2023)
DSChange: 20231121050958 (Tue Nov 21 06:09:58 2023)
DNSKEYState: omnipresent
ZRRSIGState: rumoured
KRRSIGState: omnipresent
DSState: rumoured
GoalState: omnipresent

Then, at 2023-11-27 07:24 the key states changed into this:

; This is the state of key 44674, for rombobeorn.se.
Algorithm: 8
Length: 2048
Lifetime: 2678400
Predecessor: 26869
Successor: 58364
KSK: yes
ZSK: yes
Generated: 20231020040458 (Fri Oct 20 06:04:58 2023)
Published: 20231020040458 (Fri Oct 20 06:04:58 2023)
Active: 20231020060958 (Fri Oct 20 08:09:58 2023)
Retired: 20231120060958 (Mon Nov 20 07:09:58 2023)
Removed: 20231126071458 (Sun Nov 26 08:14:58 2023)
DSPublish: 20231020160958 (Fri Oct 20 18:09:58 2023)
PublishCDS: 20231020060958 (Fri Oct 20 08:09:58 2023)
DSPubCount: 1
DNSKEYChange: 20231020060958 (Fri Oct 20 08:09:58 2023)
ZRRSIGChange: 20231127062401 (Mon Nov 27 07:24:01 2023)
KRRSIGChange: 20231020060958 (Fri Oct 20 08:09:58 2023)
DSChange: 20231021180958 (Sat Oct 21 20:09:58 2023)
DNSKEYState: omnipresent
ZRRSIGState: unretentive
KRRSIGState: omnipresent
DSState: omnipresent
GoalState: hidden
; This is the state of key 58364, for rombobeorn.se.
Algorithm: 8
Length: 2048
Lifetime: 2678400
Predecessor: 44674
KSK: yes
ZSK: yes
Generated: 20231120040458 (Mon Nov 20 05:04:58 2023)
Published: 20231120040458 (Mon Nov 20 05:04:58 2023)
Active: 20231120060958 (Mon Nov 20 07:09:58 2023)
Retired: 20231221060958 (Thu Dec 21 07:09:58 2023)
Removed: 20231227071458 (Wed Dec 27 08:14:58 2023)
PublishCDS: 20231121050958 (Tue Nov 21 06:09:58 2023)
DNSKEYChange: 20231121050958 (Tue Nov 21 06:09:58 2023)
ZRRSIGChange: 20231127062401 (Mon Nov 27 07:24:01 2023)
KRRSIGChange: 20231121050958 (Tue Nov 21 06:09:58 2023)
DSChange: 20231121050958 (Tue Nov 21 06:09:58 2023)
DNSKEYState: omnipresent
ZRRSIGState: omnipresent
KRRSIGState: omnipresent
DSState: rumoured
GoalState: omnipresent

Most recently, the old key's state changed at 2023-12-03 08:34:

; This is the state of key 44674, for rombobeorn.se.
Algorithm: 8
Length: 2048
Lifetime: 2678400
Predecessor: 26869
Successor: 58364
KSK: yes
ZSK: yes
Generated: 20231020040458 (Fri Oct 20 06:04:58 2023)
Published: 20231020040458 (Fri Oct 20 06:04:58 2023)
Active: 20231020060958 (Fri Oct 20 08:09:58 2023)
Retired: 20231120060958 (Mon Nov 20 07:09:58 2023)
Removed: 20231126071458 (Sun Nov 26 08:14:58 2023)
DSPublish: 20231020160958 (Fri Oct 20 18:09:58 2023)
PublishCDS: 20231020060958 (Fri Oct 20 08:09:58 2023)
DSPubCount: 1
DNSKEYChange: 20231020060958 (Fri Oct 20 08:09:58 2023)
ZRRSIGChange: 20231203073446 (Sun Dec  3 08:34:46 2023)
KRRSIGChange: 20231020060958 (Fri Oct 20 08:09:58 2023)
DSChange: 20231021180958 (Sat Oct 21 20:09:58 2023)
DNSKEYState: omnipresent
ZRRSIGState: hidden
KRRSIGState: omnipresent
DSState: omnipresent
GoalState: hidden

Other possibly useful state:

# rndc dnssec -status rombobeorn.se IN external
dnssec-policy: automatik
current time:  Mon Dec  4 10:30:48 2023

key: 26869 (RSASHA256), CSK
  published:      no
  key signing:    no
  zone signing:   no

  Key has been removed from the zone
  - goal:           hidden
  - dnskey:         hidden
  - ds:             hidden
  - zone rrsig:     hidden
  - key rrsig:      hidden

key: 44674 (RSASHA256), CSK
  published:      yes - since Fri Oct 20 06:04:58 2023
  key signing:    yes - since Fri Oct 20 06:04:58 2023
  zone signing:   no

  Key is retired, will be removed on Sun Nov 26 08:14:58 2023
  - goal:           hidden
  - dnskey:         omnipresent
  - ds:             omnipresent
  - zone rrsig:     hidden
  - key rrsig:      omnipresent

key: 50640 (RSASHA256), ZSK
  published:      no
  zone signing:   no

  Key has been removed from the zone
  - goal:           hidden
  - dnskey:         hidden
  - ds:             unretentive
  - zone rrsig:     hidden
  - key rrsig:      hidden

key: 48019 (RSASHA256), KSK
  published:      no
  key signing:    no

  Key has been removed from the zone
  - goal:           hidden
  - dnskey:         hidden
  - ds:             hidden
  - zone rrsig:     hidden
  - key rrsig:      hidden

key: 58364 (RSASHA256), CSK
  published:      yes - since Mon Nov 20 05:04:58 2023
  key signing:    yes - since Mon Nov 20 05:04:58 2023
  zone signing:   yes - since Mon Nov 20 07:09:58 2023

  Next rollover scheduled on Wed Dec 20 06:04:58 2023
  - goal:           omnipresent
  - dnskey:         omnipresent
  - ds:             rumoured
  - zone rrsig:     omnipresent
  - key rrsig:      omnipresent
# rndc zonestatus rombobeorn.se IN external
name: rombobeorn.se
type: primary
files: /var/lib/bind/db.rombobeorn.se.external
serial: 2023092684
nodes: 14
last loaded: Mon, 23 Oct 2023 21:53:52 GMT
secure: yes
inline signing: no
key maintenance: automatic
next key event: Mon, 04 Dec 2023 09:34:54 GMT
next resign node: rombobeorn.se/MX
next resign time: Mon, 04 Dec 2023 22:20:46 GMT
dynamic: yes
frozen: no
reconfigurable via modzone: no
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information