On 10.06.2014 12:01, Sebastian Wiesinger wrote: > I tried to rollover the ZSK from keyid 38946 to keyid 50205 without > double-signing (deactivate old key and activate the new one at the > same time). The metadata for the keys is: > > ; This is a zone-signing key, keyid 38946, for karotte.org. > ; Created: 20140519072829 (Mon May 19 09:28:29 2014) > ; Publish: 20140519084611 (Mon May 19 10:46:11 2014) > ; Activate: 20140526072632 (Mon May 26 09:26:32 2014) > ; Inactive: 20140609140929 (Mon Jun 9 16:09:29 2014) > ; Delete: 20140611140929 " 16:09:29 2014) > > ; This is a zone-signing key, keyid 50205, for karotte.org. > ; Created: 20140526141128 (Mon May 26 16:11:28 2014) > ; Publish: 20140607140929 (Sat Jun 7 16:09:29 2014) > ; Activate: 20140609140929 (Mon Jun 9 16:09:29 2014) > > But looking at the zone right now I see that only the SOA is signed > with the new key and all the other records are signed with the old > key. > > I assumed BIND would change all the signatures at once. Or am I > getting something wrong? Also I got some strange log output when the > keys were supposed to switch:
The old key stops signing new records after the inactivation date. Modified records are signed by the new/active keys only. Existing signatures are kept until they need to be refreshed (configured with sig-validity-interval) or the key is deleted. So you'll probably see new signatures for all records tomorrow. > Jun 9 16:09:31 alita named[12214]: validating @0x7f4d6c000fc0: dlv.isc.org > DNSKEY: must be secure failure, . is under DLV (startfinddlvsep) > > Not sure what the dlv lookup has to do with all of that but it occured > right after the zone was updated. Probably while resolving the names of the slave servers from the NS records. Do you have trust anchors and/or DLV configured? The bind-users list might know more about that. Hauke. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
