Three months ago I upgraded my DNS servers to BIND 9.16 (currently running 9.16.25) to take advantage of the new dnssec-policy default
option which would allow me to easily run DNSSEC for my domains. Documentation indicated that key management would happen automatically. I implemented this, tested locally, looked like everything was getting signed just fine, and all seemed right with the world. I had not previously implemented DNSSEC in any form for these zones.
I later learned that I should have uploaded my DS records to my registrar to report to the TLD that my zones were signed and that would complete the circuit to allow DNSSEC to actually happen... so I started doing that this month. However, doing so, things started failing, and I quickly learned that all my signatures had expired 15 days after I implemented DNSSEC.
I tried doing a manual rollover of the keys for one zone. That changed the sigs for some of the records, but not all (no A, AAAA, CNAME records, for example). I looked in the docs for details of how dnssec-policy default
is implemented, and found that the keys are set to not expire, but that the signatures are set to expire after 15 days or so... and that if the keys don't expire, no rollover will ever be scheduled. So what am I supposed to do about the expired sigs?
Does the dnssec-policy default
really work as advertised and I'm missing something crucial, or should I really be rolling my own here?
Relevant settings in named.conf.options:
options {
[..]
dnssec-validation auto;
dnssec-policy default;
dnssec-dnskey-kskonly yes;
managed-keys-directory "/var/lib/bind";
[..]
};