On 2014-05-28 at 13:02 +1000, Mark Andrews wrote: > If you want to finish transitioning to RSASHA256 just generate a > zone signing key RSASHA256. Named will sort things out. You may > end up with 3 sets of signatures for a while. Don't worry about > it.
The new DNSKEY had id=33768 and when I deployed it, Bind signed the SOA with it but nothing else. $ rndc -s 127.0.0.5 signing -list xn--qck5b9a5eml3bze.jp Done signing with key 53065/RSASHA256 $ host -lva xn--qck5b9a5eml3bze.jp nsauth | fgrep 33768 xn--qck5b9a5eml3bze.jp. 43200 IN RRSIG DNSKEY 8 2 43200 20140627144436 20140528134436 33768 xn--qck5b9a5eml3bze.jp. BnKhdfy6/nGSEBnOo8EUJvHkzi+5NASKEHRTXE4R1abZprxSuuf2LFUhxzMsrZuvhsj/v7+8p0t5hQJx98Zvph+ddmFy5NfMBo/68OHtvuYPsquKuAQWLJtlykzj8C1MmMlute7tmxcZRaCMO7f26AqI/Pa4aa1JmmIyRtUo+Dg= xn--qck5b9a5eml3bze.jp. 43200 IN RRSIG SOA 8 2 43200 20140627144436 20140528134436 33768 xn--qck5b9a5eml3bze.jp. R7tyfea3OvFxnwgqL4xseUIAMfbIJsJywYn8hP8zYmTQqD6/31/ysNxVSJ8bnyGA1AwfcBrdjlD8NlDbzZRqMiM6avNF0PWIA8HMfvaB7AJ1aUjeGPLp3lR2zxTGdUpcpfY+Ge2fD2L7jB5hJYvCLEqCK8zDXC6EFYyZJFm0F+A= It's been almost 14 hours, so anything that was going to slow roll, should have completed. Ran: $ rndc -s 127.0.0.5 signing -nsec3param 1 0 100 $(openssl rand -hex 8) xn--qck5b9a5eml3bze.jp (If I'd thought, I could have used the same seed as before by looking up NSEC3PARAM type in DNS; ah well, the change should be harmless, right?) I'm seeing a very incomplete set of records signed with id=33768. To make it easier for others to see, and because I didn't want to reconfig or further perturb bind9.10 on the authoritative master, I just set one of the secondaries to open zone transfer for this zone. The `us0ns.globnix.net` server, which gets NOTIFY updates, has `allow-transfer { any; };` enabled for `xn--qck5b9a5eml3bze.jp`. $ host -lva xn--qck5b9a5eml3bze.jp us0ns.globnix.net There's various bits going into the logfile from default channel. In `logging {}` I do have `category "dnssec" { "dnssec_log"; };` but the file taking that channel is, and always has been, empty. It's hard to see anything about progress or decisions in signing in the stuff which is going to the default log stream; there's: ----------------------------8< cut here >8------------------------------ 28-May-2014 09:44:36.735 general: info: zone xn--qck5b9a5eml3bze.jp/IN (signed): reconfiguring zone keys 28-May-2014 09:44:36.739 general: info: zone xn--qck5b9a5eml3bze.jp/IN (signed): next key event: 28-May-2014 10:44:36.735 28-May-2014 10:34:20.108 general: info: received control channel command 'reload xn--qck5b9a5eml3bze.jp' 28-May-2014 10:34:20.110 general: info: zone xn--qck5b9a5eml3bze.jp/IN (unsigned): ixfr-from-differences: unchanged 28-May-2014 10:44:36.737 general: info: zone xn--qck5b9a5eml3bze.jp/IN (signed): reconfiguring zone keys 28-May-2014 10:44:36.902 general: info: zone xn--qck5b9a5eml3bze.jp/IN (signed): next key event: 28-May-2014 11:44:36.737 28-May-2014 10:44:36.903 notify: info: zone xn--qck5b9a5eml3bze.jp/IN (signed): sending notifies (serial 2014011540) 28-May-2014 10:59:28.035 general: info: zone xn--qck5b9a5eml3bze.jp/IN (signed): reconfiguring zone keys 28-May-2014 10:59:28.040 general: info: zone xn--qck5b9a5eml3bze.jp/IN (signed): next key event: 28-May-2014 11:59:28.035 [...] 28-May-2014 23:59:28.446 general: info: zone xn--qck5b9a5eml3bze.jp/IN (signed): reconfiguring zone keys 28-May-2014 23:59:28.451 general: info: zone xn--qck5b9a5eml3bze.jp/IN (signed): next key event: 29-May-2014 00:59:28.446 29-May-2014 00:14:03.818 general: info: received control channel command 'signing -list xn--qck5b9a5eml3bze.jp' 29-May-2014 00:20:51.947 general: info: received control channel command 'signing -list xn--qck5b9a5eml3bze.jp' 29-May-2014 00:28:51.777 general: info: received control channel command 'signing -list xn--qck5b9a5eml3bze.jp' 29-May-2014 00:31:43.724 general: info: received control channel command 'signing -nsec3param 1 0 100 018150bbcb496fae xn--qck5b9a5eml3bze.jp' 29-May-2014 00:31:43.815 general: info: zone xn--qck5b9a5eml3bze.jp/IN (signed): zone_addnsec3chain(1,REMOVE,100,AFAC2F795254DCC2) 29-May-2014 00:31:43.815 general: info: zone xn--qck5b9a5eml3bze.jp/IN (signed): zone_addnsec3chain(1,CREATE,100,018150BBCB496FAE) 29-May-2014 00:31:43.860 notify: info: zone xn--qck5b9a5eml3bze.jp/IN (signed): sending notifies (serial 2014011542) 29-May-2014 00:31:48.871 notify: info: zone xn--qck5b9a5eml3bze.jp/IN (signed): sending notifies (serial 2014011544) ----------------------------8< cut here >8------------------------------ The TZ is America/New_York -- it's a mistake, I know why it has happened, I'm not changing it back to UTC until this issue has been resolved. Any thoughts as to what I've messed up, and how, please? _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users