rndc-key has expired
fakessh @
fakessh at fakessh.eu
Wed Mar 23 15:24:41 UTC 2011
I use and bind rndc and dlv isc for dnssec
my zone config like this
zone "renelacroute.fr" {
type master;
file "/var/named/renelacroute.fr.hosts";
auto-dnssec maintain;
update-policy local;
key-directory "/var/named/keys/";
allow-transfer { 213.251.*.*;87.98.*.*; 195.234.*.*;94.23.*.\
*; 193.223.*.*; };
};
and my log dnssec it is
23-Mar-2011 16:18:17.701 dnssec: debug 2: tsig key 'rndc-key': signature
has expired
23-Mar-2011 16:18:17.701 dnssec: debug 2: tsig key 'rndc-key': signature
has expired
23-Mar-2011 16:18:18.244 dnssec: debug 2: tsig key 'rndc-key': signature
has expired
I can not use the script to validate the answers (for dnssec ) I isc
SUCCESS 94.23.59.30 answered DNSKEY query with rcode NOERROR
5.814:SUCCESS 87.98.164.164 answered DNSKEY query with rcode NOERROR
5.814:SUCCESS 87.98.186.232 answered DNSKEY query with rcode NOERROR
5.814:INFO Total answers: 3
5.815:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.164.164
5.815:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.186.232
5.816:SUCCESS All DNSKEY responses are identical.
5.822:DEBUG VERIFY-DNSKEY: Checking tag=62721 flags=256 alg=RSASHA1
AwEAAb20...UzDMzFplHk=
5.822:DEBUG VERIFY-DNSKEY: Ignoring key.
5.822:DEBUG VERIFY-DNSKEY: Checking tag=48793 flags=257 alg=RSASHA1
AwEAAbj7...WFfCkn7o38=
5.822:DEBUG VERIFY-DNSKEY: Ignoring key.
5.822:INFO VERIFY-DNSKEY: 2 DNSKEYs found.
5.822:INFO VERIFY-DNSKEY: 0 keys found after filtering.
5.822:DEBUG VERIFY-DNSKEY: Using keys:
5.822:DEBUG VERIFY-DNSKEY: To verify rrset type DNSKEY
5.822:FAILURE VERIFY-DNSKEY: No keys found after filtering.
5.822:FAILURE DNSKEY signature did not validate.
5.822:FINAL_FAILURE FAILURE
Le mercredi 23 mars 2011 à 09:29 +0100, Eivind Olsen a écrit :
> > I edit the file named.conf
> > modification
> > update-policy {
> > grant * self * A TXT;
> > };
> > to update-policy local;
> > it seems more logical.
> > but I'm still stuck on the validation of isc dlv. the script tells me
> > lost keys
>
> Which script? What exactly does it say?
>
> I'm guessing you might have enabled dynamic updates in a DNSSEC signed
> zone, without BIND having access to the private keys needed to sign, but
> that's a wild guess really.
>
> Regards
> Eivind Olsen
>
>
--
gpg --keyserver pgp.mit.edu --recv-key 092164A7
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message num?riquement sign?e
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110323/962c3901/attachment.bin>
More information about the bind-users
mailing list