And ... Yay! Think I've got it pretty well figured out. There is a way to go from auto-dnssec maintain to dnssec-policy and even do key rotations thereafter, and manage to not break DNSSEC at all. At this point have run through multiple test runs of that, and all looking good. Mostly a matter of exactly how to (and not to) do the transition from auto-dnssec maintain to dnssec-policy and how to do the first key rotations after that. Once all that's well taken care of, looks like it's easy peay thereafter. Just have to properly make it to that point first.
E.g. can look at these sequences, from: 2024-09-29T0823:45Z https://dnsviz.net/d/dnssec-test.balug.org/ZvkOkQ/dnssec/ through 2024-09-29T22:46:52Z https://dnsviz.net/d/dnssec-test.balug.org/dnssec/
On Fri, Sep 27, 2024 at 2:56 PM Michael Paoli michael.paoli@berkeley.edu wrote:
Upon further testing, mostly just don't do: rndc dnssec -rollover -key oldid zone even for ZSK, as appears in at least some circumstances it instantly ejects the old key when it ought not. So only use it as a last step to finally get that key out of DNS (and remove key file itself if policy is likewise set to do that or later to that) after all other bits of the rollover have been properly done. So, in other words, don't use -rollover to do rollover. <sigh> Just don't. At least not for this (1:9.18.28-1~deb12u2) version of BIND ... and probably any BIND with dnssec-policy <= at least 9.18.x I'll probably reevaluate with future major BIND version upgrade, but I'm not going to trust that to properly do rollover with the current, given its oft observed behaviors.
On Fri, Sep 27, 2024 at 7:45 AM Michael Paoli michael.paoli@berkeley.edu wrote:
Okay, so, ... I think I got it effectively figured out. rndc dnssec -rollover -key oldid zone (though that appears perfectly fine for ZSK)