DNSSEC key rollover failure

Spain, Dr. Jeffry A. spainj at countryday.net
Fri Jun 17 14:13:35 UTC 2011 

For our zone countryday.net, which is configured with  "auto-dnssec maintain" and is running on bind 9.8.0, a ZSK rollover is in progress but seems to be failing.

The metadata for the original key is:
; This is a zone-signing key, keyid 2750, for countryday.net.
; Created: 20110402153620 (Sat Apr  2 08:36:20 2011)
; Publish: 20110312000000 (Fri Mar 11 16:00:00 2011)
; Activate: 20110316000000 (Tue Mar 15 17:00:00 2011)
; Inactive: 20110615000000 (Tue Jun 14 17:00:00 2011)
; Delete: 20110629000000 (Tue Jun 28 17:00:00 2011)

The metadata for the replacement key is:
; This is a zone-signing key, keyid 33722, for countryday.net.
; Created: 20110402153621 (Sat Apr  2 08:36:21 2011)
; Publish: 20110312000000 (Fri Mar 11 16:00:00 2011)
; Activate: 20110614000000 (Mon Jun 13 17:00:00 2011)
; Inactive: 20110913000000 (Mon Sep 12 17:00:00 2011)
; Delete: 20110927000000 (Mon Sep 26 17:00:00 2011)

As of today (6/17/2011), RRSIG records for key 2750 are present for every RRset in the zone. The only RRSIG record for key 33722 is for the SOA RRset. See http://dnsviz.net/d/countryday.net/dnssec/. As I understand the process, based on the dates in the metadata, there should be RRSIGs for key 33722 on all RRsets, and all RRSIGs for key 2750 should have been removed.

The syslog contains the following entries, which seem to reflect zone key activity at the appropriate times, and I don't see any error messages:
Jun  9 20:00:00 ns0 named[942]: zone countryday.net/IN: reconfiguring zone keys
Jun 13 20:00:00 ns0 named[942]: zone countryday.net/IN: reconfiguring zone keys
Jun 14 20:00:00 ns0 named[942]: zone countryday.net/IN: reconfiguring zone keys
The log entry on June 9 relates to the publication of key 26552 due to be activated in September. The June 13 entry corresponds to the activation of key 33722, and the June 14 entry to the inactivation of key 2750.

I'm sure I could solve this by removing all of the DNSSEC data and resigning the zone, but would prefer not to do this except as a last resort. If anyone has troubleshooting suggestions or other insights, I would be grateful for those. Thanks.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School
6905 Given Road, Cincinnati, OH 45243-2898, USA
Phone +1 (513) 979-0299; Fax +1 (513) 527-7632 (UTC-4)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110617/a260c29c/attachment.html>

More information about the bind-users mailing list