port DNSSEC key rotations to BIND's new KASP system

@weasel let me know that Debian 13 Trixie's new BIND release has finished the deprecation of some configuration snippets our legacy DNSSEC rotations scripts rely on.

During the debian.org trixie upgrade of the primary DNS server, this broke and kept BIND from starting until it was fixed.

So we can't upgrade nevii until we figure this out. this was briefly mentioned in #41794 (comment 3203848) but I didn't realize the breakage was so total.

overall, the idea here is to switch to BIND's KASP mechanism. The Arch wiki has a guide for this, and upstream has slides explaining this system and documentation on signing policy and specifically the KASP docs.

@weasel shared the following diff with me a while back:

 inline-signing yes;

 };
+  dnssec-policy "dnssec-policy-mustelid.at" {
+    keys {
+      // ksk key-directory lifetime P2Y algorithm rsasha256 2048;
+      // zsk key-directory lifetime P4M algorithm rsasha256 2048;
+      ksk key-directory lifetime P4M algorithm rsasha256 2048;
+      zsk key-directory lifetime P50D algorithm rsasha256 1536;
+    };
+
+    dnskey-ttl P1D;
+    max-zone-ttl P1W;
+    nsec3param;
+
+    publish-safety P15D;
+    purge-keys P90D;
+    retire-safety P15D;
+
+    zone-propagation-delay PT8H;
+
+    signatures-refresh P25D;
+    signatures-validity P40D;
+    signatures-validity-dnskey P40D;
+  };
+
 zone "mustelid.at" {
         type master;
         file "/srv/dns.noreply.org/var/generated/mustelid.at";
@@ -506,12 +542,12 @@
  2a04:dd00:21:3::2   ; // ns2.sthu.org/plato.sthu.org

         };
-        key-directory "/srv/dns.noreply.org/var/keys/mustelid.at";
-sig-validity-interval 40 25;
-auto-dnssec maintain;
-inline-signing yes;
+          key-directory "/srv/dns.noreply.org/var/keys/mustelid.at";
+  dnssec-policy "dnssec-policy-mustelid.at";
+  inline-signing yes;
  
 };

but more recently, he pointed at https://salsa.debian.org/dsa-team/mirror/dsa-puppet/-/blob/production/modules/named/files/dnssec-policy.conf?ref_type=heads and https://salsa.debian.org/dsa-team/mirror/domains/-/blob/master/debian.net?ref_type=heads

one might also want to consider not using DNSSEC entirely, here are some critiques:

Geoff Huston - DNSSEC: Yes or No at RIPE 86 (May 2023), slides
Matt Brown: Calling time on DNSSEC, following the .nz outage (June 2023)

part of the work here also requires turning off the legacy automation around this. this involves the keys in /srv/dns.torproject.org/var/keys (which the new BIND system might or might not reuse), the manage-dnssec-keys cron job (under the dnsadm user) and others dnssec-helpers scripts.

Edited Aug 21, 2025 by anarcat

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information