Hi Carsten,
This is too little information to figure out what is going on.
Can you share (offline if you wish) the output of 'rndc dnssec -status
'?
Can you share the contents of the ".state" files for the given zone?
And can you enable debug logs (level 3) (I am particularly the "keymgr"
logs).
Thanks, best regards,
Matthijs
On 4/26/23 14:09, Carsten Strotmann via bind-users wrote:
Hi,
I have a situation where in a BIND 9 zone with dnssec-policy and
inline-signing, after a ZSK rollover, the (old) ZSK is refusing to retire.
Although the timing metadata shows the retire and deletion dates in the past,
the ZSK is still in the zone and is signing the records (along with the new
ZSK, so there are two ZSK RRSigs on each RRSet).
Setting new retire/inactive + deletion times with dnssec-settime (with
parameter -s to update the state file) does not help either.
Removing the key files will stop the key being active (there are no new RRSigs
generated from this key), but the DNSKEY record still stays in the zone.
Any idea how to recover from such a situation (other than removing the signed
zone and journals and re-signing the zone again)?
Greetings
Carsten
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
