Upon further testing, mostly just don't do: rndc dnssec -rollover -key oldid zone even for ZSK, as appears in at least some circumstances it instantly ejects the old key when it ought not. So only use it as a last step to finally get that key out of DNS (and remove key file itself if policy is likewise set to do that or later to that) after all other bits of the rollover have been properly done. So, in other words, don't use -rollover to do rollover. <sigh> Just don't. At least not for this (1:9.18.28-1~deb12u2) version of BIND ... and probably any BIND with dnssec-policy <= at least 9.18.x I'll probably reevaluate with future major BIND version upgrade, but I'm not going to trust that to properly do rollover with the current, given its oft observed behaviors.
On Fri, Sep 27, 2024 at 7:45 AM Michael Paoli michael.paoli@berkeley.edu wrote:
Okay, so, ... I think I got it effectively figured out. rndc dnssec -rollover -key oldid zone (though that appears perfectly fine for ZSK)