How do I know the key sizes of my Bind DNSSEC keys?

Question

I set up DNSSEC on my private domain many years ago and unfortunately forgot all about it. Bind now tells me it's about to deprecate auto-dnssec in favour of dnssec-policy and I need to migrate my configuration.

I can see my keys are using RSASHA256 and if I understand the documentation correctly I need to define the KSK and ZSK key sizes in the policy like this:

dnssec-policy "mypolicy" {
        keys {
                ksk lifetime unlimited algorithm RSASHA256 <key-size>;
                zsk lifetime unlimited algorithm RSASHA256 <key-size>;
        };
};

But how do I know what key-sizes I'm currently using? I created them so many years ago and no longer remember.

Regards
Morgan

Digging deeper into this I think I figured it out myself. The information in Bind's key files are encoded with Base64. Decoding the Modulus fields from my two private key files, result in two strings, each 256 characters long. This is 2048 bits and if my Google-fu is correct, this should be the key length. So it seems I created both the KSK and ZSK with 2048 bits. Confirmation of my reasoning would be appreciated. :-) — Morgan Wesström, Feb 27 '23 at 01:04

How do I know the key sizes of my Bind DNSSEC keys?

0 Answers0