0

I set up my (authoritative) BIND nameserver for DNSSEC and installed one ZSK for my currently only zone. In order to test if I can use multiple ZSKs for a single zone, I generated a new key pair and copied that into the same folder like the first key pair. After doing a reload, the server found the new ZSK key pair and signed the zone with both ZSKs.

Now I noticed that I don't need two ZSKs at the same time and thought that I could delete the new ZSK the same way I added it and deleted the corresponding files in the configuration directory.

Unfortunately, this didn't remove the newer ZSK from the system and after a reload the nameserver is missing the files and is still responding with both ZSKs over DNS.

Now my question is, how can I remove BIND's knowledge of the second ZSK and return to signing with a single ZSK?

comfreak
  • 1,451
  • 1
  • 21
  • 32

2 Answers2

0

I managed to solve the problem by running rndc delzone mydomain.example, then deleting all the automatically created files that start with my zone-file's file name and then restarting (rather than reloading, I tried only that already) the server using service named restart.

Now I only have the signatures with the remaining ZSK.

I hope this might help someone else in the future.

Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42
comfreak
  • 1,451
  • 1
  • 21
  • 32
0

This howto may help you: https://www.nlnetlabs.nl/publications/dnssec_howto/

There is a specific paragraph about ZSK rollovers. On production systems you should not do rollovers by hand, specifically ZSKs as they are bound to happen "often". You should use a software like OpenDNSSEC.

Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42