On Tue, Jul 05, 2011 at 07:34:22PM -0700, Evan Hunt wrote: > The key is being published now, and its activation date (i.e., when it > will start to be used to sign records) is in the near future: less than > the TTL of the DNSKEY record from now. > > When the key starts signing, then someone could get an RRSIG generated by > that key... but, if that same someone had a cached copy of the DNSKEY > record from *before* the key was published, then validation could fail. > > So, what it's telling you is that named won't start signing records with > this key until after the old DNSKEY record is guaranteed to have expired > out of all the resolver caches.
Hmm, thanks for the explanation. However, for this case, while the activation date was in the near future, the *publish* date was far in the past. Per the log output from my update script (which runs dnssec-signzone behind the scenes): Jun 30 17:07:26 dns_update[8373]: warning: Key csupomona.edu/RSASHA256/17755: Delaying activation to match the DNSKEY TTL. (sign_zone) Jun 30 17:07:26 dns_update[8373]: warning: Key csupomona.edu/RSASHA256/1161: Delaying activation to match the DNSKEY TTL. (sign_zone) And the corresponding key timing info: $ dnssec-settime -p all Kcsupomona.edu.+008+17755.key Created: Thu Jul 8 19:05:30 2010 Publish: Thu Jul 8 19:05:30 2010 Activate: Fri Jul 1 00:00:00 2011 Revoke: UNSET Inactive: Sun Jul 1 00:00:00 2012 Delete: Tue Jul 3 00:00:00 2012 $ dnssec-settime -p all Kcsupomona.edu.+008+01161.key Created: Wed Jun 1 00:02:02 2011 Publish: Wed Jun 1 00:02:02 2011 Activate: Fri Jul 1 00:00:00 2011 Revoke: UNSET Inactive: Mon Aug 1 00:00:00 2011 Delete: Wed Aug 3 00:00:00 2011 I was rolling both the ZSK and my KSK, the first should have been published for the last month, the second for the last year? Wait, how does dnssec-signzone know whether or not a key has been published or not? I could have created a key 10 seconds ago and set a publication date of last year, and what would distingish that from a key actually created and published last year? -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | hen...@csupomona.edu California State Polytechnic University | Pomona CA 91768 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users