On Dec 1 2011, McConville, Kevin wrote:
Hopefully this is a "duh" moment that I'm having. I am testing out what
happens when you have set the ZSK inactive and delete times and then try
to sign the zone via a rndc reload zonename command (using static zone
file with inline signing).
We have 3 keys as listed below:
KSK - 63406
ZSK - 16122
ZSK - 55416
--------------------------------
$dnssec-settime -p all Kualbanytest.org.+005+63406
Created: Fri Apr 22 12:49:33 2011
Publish: Fri Apr 22 12:49:33 2011
Activate: Fri Apr 22 12:49:33 2011
Revoke: UNSET
Inactive: UNSET
Delete: UNSET
$dnssec-settime -p all Kualbanytest.org.+005+16122
Created: Tue Nov 29 14:27:19 2011
Publish: Tue Nov 29 14:27:19 2011
Activate: Tue Nov 29 14:27:19 2011
Revoke: UNSET
Inactive: Tue Nov 29 16:08:07 2011
Delete: Tue Nov 29 17:08:42 2011
$dnssec-settime -p all Kualbanytest.org.+005+55416
Created: Tue Nov 29 15:13:06 2011
Publish: Tue Nov 29 15:13:06 2011
Activate: Tue Nov 29 15:43:06 2011
Revoke: UNSET
Inactive: Wed Nov 30 15:13:06 2011
Delete: Wed Nov 30 15:47:56 2011
So, key 55416 was pre-published and was temporarily double-signing with
key 16122. By now (13:58 - 12-01-11) both ZSKs (55416 & 16122) should
have been inactive and deleted from the zone key list. However, when
updating the master static zone file and then doing an rndc reload
ualbanytest.org - it signs the zone like there still is a valid ZSK.
Doing a dig +dnssec only lists the KSK of 63406. Same thing when checking
the zone with ( http://dnssec-debugger.verisignlabs.com ).
Did I forget to read a part of the manual? Do I need a new cup of coffee?
Any advice or suggestions are greatly appreciated.
I think that because you have told it to inactivate and indeed delete both
ZSKs, in desperation it has signed the whole zone with the the only remaining
key, even though it has the SEP bit set.
Read the description of the "update-check-ksk" option (default "yes")
carefully, including this bit:
| When this option is set to yes, there must be at least two active keys
| for every algorithm represented in the DNSKEY RRset: at least one KSK
| and one ZSK per algorithm. If there is any algorithm for which this
| requirement is not met, this option will be ignored for that algorithm.
--
Chris Thompson
Email: c...@cam.ac.uk
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
