Skip to content

Change dnssec-policy key lifetime does not affect existing keys

Summary

Although this also bears some discussion too, this is a bug, either in the documentation or in the behaviour...

I have a ZSK policy that I originally set up with unlimited lifetime. dnssec-policy created my keys for me, managing the rollover of my old algorithm to my new algorithm when I updated my dnssec-policy to do this.

The next job on my list (after negotiating the KSK and ZSK rollovers to update to a modern signing algorithm) was to put in place automatic ZSK rollover.

Changing the lifetime in the ZSK policy however, does not affect the existing ZSK. I was obliged to issued 'rndc dnssec -rollover ...' to initate the rollover. This was unexpected, but also undocumented in terms of what I should expect when I update my dnssec-policy.

So.. either this needs to be documented in the ARM, so that it's clear that just updating key policy lifetime does not update existing keys ...

OR - it actually does need to update the existing keys and any scheduled rollovers. In which case we then need to consider what should happen because there are a bunch of scenarios for this, such as:

a) Update a key with forever lifetime to one that should automatically roll - do you schedule the roll immediately or for 'period' from now?

b) Update a key that has lifetime 'x' and a rollover already scheduled - do you change its schedule, or just apply the new lifetime to the next key?

BIND version affected

9.18.25

Discuss...

Edited by Cathy Almond
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information