Re: auto-dnssec maintain and DNSKEY removal

2016-07-15 Thread Mathew Ian Eis
rom: Tony Finch <d...@dotat.at> Date: Thursday, July 14, 2016 at 3:17 AM To: Mathew Eis <mathew@nau.edu> Cc: "bind-users@lists.isc.org" <bind-users@lists.isc.org> Subject: Re: auto-dnssec maintain and DNSKEY removal Mathew Ian Eis <mathew@nau.edu> wro

Re: auto-dnssec maintain and DNSKEY removal

2016-07-14 Thread Tony Finch
Mathew Ian Eis wrote: > > sig-validity-interval seems to only affect the expiration date of newly > created signatures, and of course signatures are only rolling over to > new keys as they expire. > > I am wondering if I can ask bind to set the expiration for, say 30 days >

Re: auto-dnssec maintain and DNSKEY removal

2016-07-13 Thread Mathew Ian Eis
, Mathew Eis -Original Message- From: Tony Finch <d...@dotat.at> Date: Wednesday, July 6, 2016 at 2:48 AM To: Mathew Eis <mathew@nau.edu> Cc: "bind-users@lists.isc.org" <bind-users@lists.isc.org> Subject: Re: auto-dnssec maintain and DNSKEY removal Mathew

Re: auto-dnssec maintain and DNSKEY removal

2016-07-06 Thread Tony Finch
Mathew Ian Eis wrote: > > Does all of that sound right? I believe so, yes. Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode Humber, Thames, Dover, Wight, Portland, Plymouth, North Biscay: Northwesterly, backing southwesterly, 3 or 4,

Re: auto-dnssec maintain and DNSKEY removal

2016-07-05 Thread Mathew Ian Eis
gt; Subject: Re: auto-dnssec maintain and DNSKEY removal Mathew Ian Eis <mathew@nau.edu> wrote: > > > Are you allowing enough time for named to go through a zone key maintenance > > cycle? (which is hourly if I remember correctly) > > I’m not sure, it sounds

Re: auto-dnssec maintain and DNSKEY removal

2016-07-05 Thread Tony Finch
Mathew Ian Eis wrote: > > > Are you allowing enough time for named to go through a zone key > > maintenance cycle? (which is hourly if I remember correctly) > > I’m not sure, it sounds like perhaps not always? You’ve > mentioned a “zone > key maintenance cycle” of an hour, and

Re: auto-dnssec maintain and DNSKEY removal

2016-07-05 Thread Mathew Ian Eis
nd-users@lists.isc.org" <bind-users@lists.isc.org> Subject: Re: auto-dnssec maintain and DNSKEY removal Mathew Ian Eis <mathew@nau.edu> wrote: > > We think that in some cases, named may be choosing to use a key past the > removal date (as in [2]), while our file maint

Re: auto-dnssec maintain and DNSKEY removal

2016-07-04 Thread Tony Finch
Mathew Ian Eis wrote: > > We think that in some cases, named may be choosing to use a key past the > removal date (as in [2]), while our file maintenance process removes the > keys as per their deletion date – after which named no longer has the > necessary metadata to

auto-dnssec maintain and DNSKEY removal

2016-07-01 Thread Mathew Ian Eis
Hi BIND, The documentation for auto-dnssec maintain suggests that named will remove DNSKEYs from zones when the deletion time marked in the metadata occurs [1]. Unfortunately, it seems this is not always the case. We are currently trying to diagnose the source of residual DNSKEYs in our zones