dnssec/obsolete dns keys removal - how to?
Dear all, I have tried some faulty ways to setup dnssec for some of my domains about a month ago. This resulted in the creation of several ZSK, KSK and CSK dnssec keys (and files) until I got a configuration that actually was working as it should. Due to proper ignorance and non-knowledge I deleted those files somewhen in between while trying. After a while I got a correct working setup (using the default *facepalm*). Although I have then successfully managed to get the correct key setup into the DS with the root tld zones, I have mysterious DNSKEY entries on my bind installations for these particular domains that I do not seem to get rid of. I do not have the initially created key files anymore, they are nowhere referenced in bind configuration of the zones or anywhere in bind. I even deleted the /var/lib/bind/ directory contents of the master and secondaries, restarted all bind binaries. They are still there. And yes, I shutdown all binds, deleted the files, restarted them again. Still somewhere existing. How do I get these obsolete entries removed? The working (and now current) setup is simply the default ... dnssec-policy default; key-directory "/etc/bind/zones/master/floppy-friends/rosen-roth.com-keys/"; inline-signing yes; serial-update-method increment; }; in the zone directives for the master bind. root@theater:/etc/bind# dig rosen-roth.com. DNSKEY ; <<>> DiG 9.20.10-1+ubuntu24.04.1+deb.sury.org+1-Ubuntu <<>> rosen-roth.com. DNSKEY ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37442 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: a797dbfa0e86e303010068556a2fa1cfa1f6c89a33aa (good) ;; QUESTION SECTION: ;rosen-roth.com.IN DNSKEY ;; ANSWER SECTION: rosen-roth.com. 3600IN DNSKEY 257 3 13 CtkLyrsB5YZ7Q8xXW8xNrLrXXbVt9FlQhZN4YXtAIGZ7XhIgxca3dn5s fowG0GVA5uVU3VKmZDxg3uYOWc1KVg== rosen-roth.com. 3600IN DNSKEY 257 3 13 U04Pkg5Y4PVyVmGf1+d2nsjsCncm8uvVZ55Ci/UsOLVFJboaYw5UWMb4 LWNuBBNv/TDnlJT6fbhN+LockkW+iA== root@theater:/etc/bind# rndc dnssec -status rosen-roth.com dnssec-policy: default current time: Fri Jun 20 16:03:48 2025 key: 30519 (ECDSAP256SHA256), CSK published: yes - since Mon Jun 2 21:20:55 2025 key signing:yes - since Mon Jun 2 21:20:55 2025 zone signing: yes - since Mon Jun 2 21:20:55 2025 No rollover scheduled - goal: omnipresent - dnskey: omnipresent - ds: omnipresent - zone rrsig: omnipresent - key rrsig: omnipresent root@theater:/etc/bind# l zones/master/floppy-friends/rosen-roth.com-keys/ total 20 drwxrws--- 2 bind bind 4096 Jun 4 23:25 ./ drwxrwsr-x 20 root bind 4096 Jun 20 15:54 ../ -rw-r--r-- 1 bind bind 409 Jun 4 23:25 Krosen-roth.com.+013+30519.key -rw--- 1 bind bind 241 Jun 4 23:25 Krosen-roth.com.+013+30519.private -rw-r--r-- 1 bind bind 727 Jun 4 23:25 Krosen-roth.com.+013+30519.state https://dnsviz.net/d/rosen-roth.com/analyze/ shows that the key id 30519 is used as it should. But the other key 46018 exists there, signed by 30519 apparently. The 46018 is expired now, which is probably good, but how the h* do I get this thing "deleted"? I do not know where this "key" is "hiding"... I have 2 more domains, one even suffers from 4 existing keys (3 phantom). Btw, I did NOT submit those "obsolete" keys for entry in the corresponding .tld zone DS lists... Any pointers would be highly appreciated. root@theater:/etc/bind# named -version BIND 9.20.10-1+ubuntu24.04.1+deb.sury.org+1-Ubuntu (Extended Support Version) (existed with the 9.20.9 as well) Florian -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec/obsolete dns keys removal - how to?
Hello, wow, that did the trick. I didn't think of this at all. It -after all- appeared to be VERY obvious. I don't know why I overlooked this possibilty. THANK YOU! Am 20.06.2025 um 19:03 schrieb Crist Clark: Do you have a .signed file that BIND created? To be 100%, shutdown named, kill that file, then restart. But removing the file and just doing an rndc reload on the zone may be enough. On Fri, Jun 20, 2025 at 7:20 AM Florian Piekert via bind-users mailto:bind-users@lists.isc.org>> wrote: Dear all, I have tried some faulty ways to setup dnssec for some of my domains about a month ago. This resulted in the creation of several ZSK, KSK and CSK dnssec keys (and files) until I got a configuration that actually was working as it should. Due to proper ignorance and non-knowledge I deleted those files somewhen in between while trying. After a while I got a correct working setup (using the default *facepalm*). Although I have then successfully managed to get the correct key setup into the DS with the root tld zones, I have mysterious DNSKEY entries on my bind installations for these particular domains that I do not seem to get rid of. I do not have the initially created key files anymore, they are nowhere referenced in bind configuration of the zones or anywhere in bind. I even deleted the /var/lib/bind/ directory contents of the master and secondaries, restarted all bind binaries. They are still there. And yes, I shutdown all binds, deleted the files, restarted them again. Still somewhere existing. How do I get these obsolete entries removed? -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: question about resolving of AAAA amazoses.com
Hello and many thanks for the quick all-answering response! Thanks for Greg as well, I leave it to Petr's answer then :-) Am 04.07.2025 um 10:13 schrieb Petr Špaček: On 04. 07. 25 9:56, Florian Piekert via bind-users wrote: Hello all, I frequently have this in my logs May 4 14:29:16 sonne named[4035767]: DNS format error from 2600:9000:5303:c800::1#53 resolving feedback-smtp.us- east-1.amazonses.com/ for 127.0.0.1#44099: Name us- east-1.amazonses.com (SOA) not subdomain of zone feedback-smtp.us- east-1.amazonses.com -- invalid response ... May 4 14:29:16 sonne named[4035767]: DNS format error from 205.251.192.82#53 resolving feedback-smtp.us-east-1.amazonses.com/ for 127.0.0.1#44099: Name us-east-1.amazonses.com (SOA) not subdomain of zone feedback-smtp.us-east-1.amazonses.com -- invalid response and was wondering IF there is a misconfiguration on my bind? No, it's misconfiguration on the auth side. See e.g. https://lists.isc.org/pipermail/bind-users/2021-January/104064.html for an explanation. Florian -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
question about resolving of AAAA amazoses.com
Hello all, I frequently have this in my logs May 4 14:29:16 sonne named[4035767]: DNS format error from 2600:9000:5303:c800::1#53 resolving feedback-smtp.us-east-1.amazonses.com/ for 127.0.0.1#44099: Name us-east-1.amazonses.com (SOA) not subdomain of zone feedback-smtp.us-east-1.amazonses.com -- invalid response May 4 14:29:16 sonne named[4035767]: resolver: notice: DNS format error from 2600:9000:5303:c800::1#53 resolving feedback-smtp.us-east-1.amazonses.com/ for 127.0.0.1#44099: Name us-east-1.amazonses.com (SOA) not subdomain of zone feedback-smtp.us-east-1.amazonses.com -- invalid response May 4 14:29:16 sonne named[4035767]: DNS format error from 2600:9000:5303:c800::1#53 resolving feedback-smtp.us-east-1.amazonses.com/ for 127.0.0.1#44099: Name us-east-1.amazonses.com (SOA) not subdomain of zone feedback-smtp.us-east-1.amazonses.com -- invalid response May 4 14:29:16 sonne named[4035767]: DNS format error from 2600:9000:5304:dc00::1#53 resolving feedback-smtp.us-east-1.amazonses.com/ for 127.0.0.1#44099: Name us-east-1.amazonses.com (SOA) not subdomain of zone feedback-smtp.us-east-1.amazonses.com -- invalid response May 4 14:29:16 sonne named[4035767]: resolver: notice: DNS format error from 2600:9000:5304:dc00::1#53 resolving feedback-smtp.us-east-1.amazonses.com/ for 127.0.0.1#44099: Name us-east-1.amazonses.com (SOA) not subdomain of zone feedback-smtp.us-east-1.amazonses.com -- invalid response May 4 14:29:16 sonne named[4035767]: DNS format error from 2600:9000:5304:dc00::1#53 resolving feedback-smtp.us-east-1.amazonses.com/ for 127.0.0.1#44099: Name us-east-1.amazonses.com (SOA) not subdomain of zone feedback-smtp.us-east-1.amazonses.com -- invalid response May 4 14:29:16 sonne named[4035767]: DNS format error from 2600:9000:5306:cb00::1#53 resolving feedback-smtp.us-east-1.amazonses.com/ for 127.0.0.1#44099: Name us-east-1.amazonses.com (SOA) not subdomain of zone feedback-smtp.us-east-1.amazonses.com -- invalid response May 4 14:29:16 sonne named[4035767]: resolver: notice: DNS format error from 2600:9000:5306:cb00::1#53 resolving feedback-smtp.us-east-1.amazonses.com/ for 127.0.0.1#44099: Name us-east-1.amazonses.com (SOA) not subdomain of zone feedback-smtp.us-east-1.amazonses.com -- invalid response May 4 14:29:16 sonne named[4035767]: DNS format error from 2600:9000:5306:cb00::1#53 resolving feedback-smtp.us-east-1.amazonses.com/ for 127.0.0.1#44099: Name us-east-1.amazonses.com (SOA) not subdomain of zone feedback-smtp.us-east-1.amazonses.com -- invalid response May 4 14:29:16 sonne named[4035767]: DNS format error from 2600:9000:5300:5200::1#53 resolving feedback-smtp.us-east-1.amazonses.com/ for 127.0.0.1#44099: Name us-east-1.amazonses.com (SOA) not subdomain of zone feedback-smtp.us-east-1.amazonses.com -- invalid response May 4 14:29:16 sonne named[4035767]: resolver: notice: DNS format error from 2600:9000:5300:5200::1#53 resolving feedback-smtp.us-east-1.amazonses.com/ for 127.0.0.1#44099: Name us-east-1.amazonses.com (SOA) not subdomain of zone feedback-smtp.us-east-1.amazonses.com -- invalid response May 4 14:29:16 sonne named[4035767]: DNS format error from 2600:9000:5300:5200::1#53 resolving feedback-smtp.us-east-1.amazonses.com/ for 127.0.0.1#44099: Name us-east-1.amazonses.com (SOA) not subdomain of zone feedback-smtp.us-east-1.amazonses.com -- invalid response May 4 14:29:16 sonne named[4035767]: DNS format error from 205.251.195.200#53 resolving feedback-smtp.us-east-1.amazonses.com/ for 127.0.0.1#44099: Name us-east-1.amazonses.com (SOA) not subdomain of zone feedback-smtp.us-east-1.amazonses.com -- invalid response May 4 14:29:16 sonne named[4035767]: resolver: notice: DNS format error from 205.251.195.200#53 resolving feedback-smtp.us-east-1.amazonses.com/ for 127.0.0.1#44099: Name us-east-1.amazonses.com (SOA) not subdomain of zone feedback-smtp.us-east-1.amazonses.com -- invalid response May 4 14:29:16 sonne named[4035767]: DNS format error from 205.251.195.200#53 resolving feedback-smtp.us-east-1.amazonses.com/ for 127.0.0.1#44099: Name us-east-1.amazonses.com (SOA) not subdomain of zone feedback-smtp.us-east-1.amazonses.com -- invalid response May 4 14:29:16 sonne named[4035767]: DNS format error from 205.251.196.220#53 resolving feedback-smtp.us-east-1.amazonses.com/ for 127.0.0.1#44099: Name us-east-1.amazonses.com (SOA) not subdomain of zone feedback-smtp.us-east-1.amazonses.com -- invalid response May 4 14:29:16 sonne named[4035767]: resolver: notice: DNS format error from 205.251.196.220#53 resolving feedback-smtp.us-east-1.amazonses.com/ for 127.0.0.1#44099: Name us-east-1.amazonses.com (SOA) not subdomain of zone feedback-smtp.us-east-1.amazonses.com -- invalid response May 4 14:29:16 sonne named[4035767]: DNS format error from 205.251.196.220#53 resolving feedback-smtp.us-east-1.amazonses.com/ for 127.0.0.1#44099
