bind 9.7.0 auto-dnssec doesn't remove final RRSIG on key inactivation?
Tony Finch
dot at dotat.at
Thu Aug 25 11:14:41 UTC 2011
Phil Mayers <p.mayers at imperial.ac.uk> wrote:
>
> I first create and publish a new ZSK with no activation date. After waiting
> the requisite amount of time, I use dnssec-settime:
>
> dnssec-settime -A K<newid>
> dnssec-settime -I K<oldid>
> rndc sign <zone>
>
> ...and bind immediately starts using the new key for sigs. After 0.75*30 days,
> all the RRSIG with the old key have been replaced except for one - the RRSIG
> on the zone apex DNSKEY record. Unfortunately, this RRSIG is not regenerated,
> or removed; it expires, and causes various monitoring tools (including the ISC
> DLV web UI) to complain.
>
> Is this a bug in bind 9.7.0 which is fixed in a later version?
Possibly this:
3020. [bug] auto-dnssec failed to correctly update the zone when
changing the DNSKEY RRset. [RT #23232]
dnssec-dnskey-kskonly might be a workaround...
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Trafalgar: Northwesterly 5 or 6 in southeast Trafalgar, otherwise variable 3
or 4, becoming cyclonic 5 to 7, perhaps gale 8 later in south Biscay and
southeast Fitzroy. Moderate or rough. Rain or showers. Good, occasionally
poor.
More information about the bind-users
mailing list