In message <7610864823c0d04d89342623a3adc9de1b022...@hopple.countryday.net>, "Sp
ain, Dr. Jeffry A." writes:
> > And now, as July 1 has passed and July 9 approaches, can you share a
> > summary of what you found? Thanks.
> > --
> > Offlist mail to this address is discarded unless
> > "/d
> And now, as July 1 has passed and July 9 approaches, can you share a
> summary of what you found? Thanks.
> --
> Offlist mail to this address is discarded unless
> "/dev/rob0" or "not-spam" is in Subject: header
On June 10, our zone countryday.net running on a bind 9.8.0 server began a
On Fri, Jun 17, 2011 at 08:54:15PM +, Spain, Dr. Jeffry A. wrote:
> Tony Finch:
> > What does `rndc sign ` do?
>
> Thanks, Tony. I have never run rndc sign, as the zone is configured
> with auto-dnssec maintain. Before intervening in this manner, I
> would like to gain a greater understandin
The only thing I would change is making the deletion happen
sig-validity-interval after the inactivation of the key. The idea
is to have a gradual replacement of signatures as they normally
fall due for re-signing.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHO
Thanks, Phil. The document I used to set up the rotation schedules is "Good
Practices Guide for Deploying DNSSEC" at
http://www.enisa.europa.eu/act/res/technologies/tech/gpgdnssec. It recommends a
two-week interval between ZSK inactivation and deletion. I will carefully study
the IETF draft bel
On 06/17/2011 09:35 PM, Phil Mayers wrote:
In which case you're going to have a serious problems I think. You can't
delete a DNSKEY which has any extant RRSIGs until $MAX_TTL *after* those
RRSIGs finally disappear.
There's an RFC describing the key rotation schedules you must use in a
lot of de
> What does `rndc sign ` do?
Thanks, Tony. I have never run rndc sign, as the zone is configured with
auto-dnssec maintain. Before intervening in this manner, I would like to gain a
greater understanding of what is going on. Thanks. Jeff.
___
Please vi
Thanks, Phil.
> How big is the zone, and how did you sign it originally? If you used "rndc
> sign", then there will be little jitter in the RRSIG so they'll all tend to
> roll over together.
>For most of our zones, I signed them manually using dnssec-signzone and tuning
>the jitter for a consta
On 06/17/2011 09:25 PM, Spain, Dr. Jeffry A. wrote:
Our zone has 115 records, not counting DNSSEC-related records. I
originally signed it by specifying the zone file and key directory
along with "auto-dnssec maintain" in the configuration file. Looking
at all the RRSIGs, they expire for the most
On 17/06/11 15:13, Spain, Dr. Jeffry A. wrote:
As of today (6/17/2011), RRSIG records for key 2750 are present for
every RRset in the zone. The only RRSIG record for key 33722 is for the
SOA RRset. See http://dnsviz.net/d/countryday.net/dnssec/. As I
understand the process, based on the dates in
Spain, Dr. Jeffry A. wrote:
>
> I'm sure I could solve this by removing all of the DNSSEC data and
> resigning the zone, but would prefer not to do this except as a last
> resort. If anyone has troubleshooting suggestions or other insights, I
> would be grateful for those. Thanks.
What does `rndc
11 matches
Mail list logo