Keeping DNSSEC KSKs offline with BIND9

Asked May 04 '19 at 13:33

Active May 04 '19 at 13:33

Viewed 266 times

I am looking to move the private part of the KSK for my domains off my main nameserver. I've tried this with a test domain and get errors like this:

dns_dnssec_keylistfromrdataset: error reading /etc/bind/keys/example.com/Kexample.com.+999+99999.private: file not found
...
dns_dnssec_findzonekeys2: error reading /etc/bind/keys/example.com/Kexample.com.+999+99999.private: file not found

This guide recommends keeping the private KSKs offline without much further comment so I'm guessing it's ok to ignore these warnings? The zone continues to operate as expected and I can make changes fine (the errors just keep appearing).

If it is ok to ignore the warning, is there a way to disable it so the logs don't get filled up?

asked May 04 '19 at 13:33

Tugzrida

Just a note to future me/anyone else: After the private component of the KSK was unavailable for 30 days, the KSK's self signature and the KSK's signature of the ZSK expired and the zone returned BOGUS. There may be a mechanism to change the validity period of these signatures but I haven't investigated that as I'm about to transfer my domains to managed DNS on Cloudflare anyway. – Tugzrida Jun 03 '19 at 04:47

Keeping DNSSEC KSKs offline with BIND9

0 Answers0