A couple of weeks ago I found a DNSSEC key rollover problem with bind 9.9.0b2.
See https://lists.isc.org/pipermail/bind-users/2011-December/086063.html. This
appears to have persisted after upgrading to bind 9.9.0rc1 this afternoon.
See http://dnsviz.net/d/jaspain.net/dnssec/. The RRSIGs on the
On Fri, Jun 17, 2011 at 08:54:15PM +, Spain, Dr. Jeffry A. wrote:
Tony Finch:
What does `rndc sign zone` do?
Thanks, Tony. I have never run rndc sign, as the zone is configured
with auto-dnssec maintain. Before intervening in this manner, I
would like to gain a greater understanding
And now, as July 1 has passed and July 9 approaches, can you share a
summary of what you found? Thanks.
--
Offlist mail to this address is discarded unless
/dev/rob0 or not-spam is in Subject: header
On June 10, our zone countryday.net running on a bind 9.8.0 server began an
In message 7610864823c0d04d89342623a3adc9de1b022...@hopple.countryday.net, Sp
ain, Dr. Jeffry A. writes:
And now, as July 1 has passed and July 9 approaches, can you share a
summary of what you found? Thanks.
--
Offlist mail to this address is discarded unless
/dev/rob0 or
For our zone countryday.net, which is configured with auto-dnssec maintain
and is running on bind 9.8.0, a ZSK rollover is in progress but seems to be
failing.
The metadata for the original key is:
; This is a zone-signing key, keyid 2750, for countryday.net.
; Created: 20110402153620 (Sat Apr
Spain, Dr. Jeffry A. spa...@countryday.net wrote:
I'm sure I could solve this by removing all of the DNSSEC data and
resigning the zone, but would prefer not to do this except as a last
resort. If anyone has troubleshooting suggestions or other insights, I
would be grateful for those. Thanks.
On 17/06/11 15:13, Spain, Dr. Jeffry A. wrote:
As of today (6/17/2011), RRSIG records for key 2750 are present for
every RRset in the zone. The only RRSIG record for key 33722 is for the
SOA RRset. See http://dnsviz.net/d/countryday.net/dnssec/. As I
understand the process, based on the dates
On 06/17/2011 09:25 PM, Spain, Dr. Jeffry A. wrote:
Our zone has 115 records, not counting DNSSEC-related records. I
originally signed it by specifying the zone file and key directory
along with auto-dnssec maintain in the configuration file. Looking
at all the RRSIGs, they expire for the most
Thanks, Phil.
How big is the zone, and how did you sign it originally? If you used rndc
sign, then there will be little jitter in the RRSIG so they'll all tend to
roll over together.
For most of our zones, I signed them manually using dnssec-signzone and tuning
the jitter for a constant
What does `rndc sign zone` do?
Thanks, Tony. I have never run rndc sign, as the zone is configured with
auto-dnssec maintain. Before intervening in this manner, I would like to gain a
greater understanding of what is going on. Thanks. Jeff.
___
Thanks, Phil. The document I used to set up the rotation schedules is Good
Practices Guide for Deploying DNSSEC at
http://www.enisa.europa.eu/act/res/technologies/tech/gpgdnssec. It recommends a
two-week interval between ZSK inactivation and deletion. I will carefully study
the IETF draft
The only thing I would change is making the deletion happen
sig-validity-interval after the inactivation of the key. The idea
is to have a gradual replacement of signatures as they normally
fall due for re-signing.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
12 matches
Mail list logo