Szenario:
- BIND9 (9.18) running on Debian 12 "bookworm" as primary DNS for a whole bunch of zones.
- A dnssec-policy is in place, which establishs automatic signing of zone entries.
- Keys (KSK & ZSK) are rolled-over regularily (1Y & 30D).
- DS-Records are pushed upstream.
Overall a pretty good working and secure DNS setup, which has been working for quite a while already.
Now, we noticed, that there sees to be a problem with proper key expiration for KSKs. After some KSK rotations have been performed over the years, expired KSKs seem to remain in the zone. According to their timing parameters, they should have been deleted long time ago, but still persist in the zone (DNSSEC entries as well as key files).
Example:
A zone has already accumulated 4 KSKs (with only 2 active currently).
One of the expired keys is ID 57979, which is still present in the zone. (Data shown below is from the key state file Kredacted.com.+008+57979.state)
; This is the state of key 57979, for redacted.com.
Algorithm: 8
Length: 2048
Lifetime: 31536000
Successor: 46306
KSK: yes
ZSK: no
Generated: 20201230124011 (Wed Dec 30 13:40:11 2020)
Published: 20201230124011 (Wed Dec 30 13:40:11 2020)
Active: 20201230124011 (Wed Dec 30 13:40:11 2020)
Retired: 20211230124011 (Thu Dec 30 13:40:11 2021)
Removed: 20211231144011 (Fri Dec 31 15:40:11 2021)
PublishCDS: 20201231134511 (Thu Dec 31 14:45:11 2020)
DNSKEYChange: 20201230144511 (Wed Dec 30 15:45:11 2020)
KRRSIGChange: 20201230144511 (Wed Dec 30 15:45:11 2020)
DSChange: 20211230124011 (Thu Dec 30 13:40:11 2021)
DNSKEYState: omnipresent
KRRSIGState: omnipresent
DSState: unretentive
GoalState: hidden
All key-management (signing, timeings, roll-overs, ...) are performed by bind on it's own. There is no manual process involved. Thus, I would expect, that expired keys are also removed automatically by bind - but they aren't. I did already a ton of research and went up & down through the bind manuals, but to no avail.
My Questions:
- Why are expired keys (KSKs in particular) not removed?
- If they are still used for something (and thus not removed), how can I identify what that is?
- And finally: What is a possible cause for this behavior and how can it be fixed?