"auto-dnssec maintain;" and key "missing or inactive and has no replacement"

Stephane Bortzmeyer Wed, 24 Jul 2013 02:32:31 -0700

I'm trying "auto-dnssec maintain;" with a BIND 9.9.3-P1. My
configuration is:


options {
        directory "/tmp/bind";
        key-directory "/tmp/bind"; 
};


zone "example" {
        type master;
        file "example";
        inline-signing yes;
        auto-dnssec maintain;
};

Apparently, everything works. The key I created and put in /tmp/bind
is used, the zone is signed, everyone is happy.

But I get messages:

24-Jul-2013 07:39:25.480 zone example/IN (signed): Key example/RSASHA256/46747 
missing or inactive and has no replacement: retaining signatures.

Which I do not understand. They key is there:

% ls -lt /tmp/bind/Kexample.+008+46747*
-rw-r--r-- 1 bortzmeyer bortzmeyer  597 Jul 23 12:02 
/tmp/bind/Kexample.+008+46747.key
-rw------- 1 bortzmeyer bortzmeyer 1776 Jul 23 12:02 
/tmp/bind/Kexample.+008+46747.private

And is certainly active:

% cat /tmp/bind/Kexample.+008+46747.key 
; This is a key-signing key, keyid 46747, for example.
; Created: 20130723100005 (Tue Jul 23 12:00:05 2013)
; Publish: 20130723100005 (Tue Jul 23 12:00:05 2013)
; Activate: 20130723070226 (Tue Jul 23 09:02:26 2013)
...

And, despite the message "retaining signatures", signatures *are*
regenerated periodically, even after the warning:

example.                600 IN RRSIG DNSKEY 8 1 600 20130725045802 (
                                20130724043925 46747 example.
                                rkNJdCp8PV3PzEsVc6efh/mBY3eHZcL3712ELD2g7gte
...
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

"auto-dnssec maintain;" and key "missing or inactive and has no replacement"

Reply via email to