"auto-dnssec maintain;" and key "missing or inactive and has no replacement"
Stephane Bortzmeyer
bortzmeyer at nic.fr
Wed Jul 24 09:29:15 UTC 2013
I'm trying "auto-dnssec maintain;" with a BIND 9.9.3-P1. My
configuration is:
options {
directory "/tmp/bind";
key-directory "/tmp/bind";
};
zone "example" {
type master;
file "example";
inline-signing yes;
auto-dnssec maintain;
};
Apparently, everything works. The key I created and put in /tmp/bind
is used, the zone is signed, everyone is happy.
But I get messages:
24-Jul-2013 07:39:25.480 zone example/IN (signed): Key example/RSASHA256/46747 missing or inactive and has no replacement: retaining signatures.
Which I do not understand. They key is there:
% ls -lt /tmp/bind/Kexample.+008+46747*
-rw-r--r-- 1 bortzmeyer bortzmeyer 597 Jul 23 12:02 /tmp/bind/Kexample.+008+46747.key
-rw------- 1 bortzmeyer bortzmeyer 1776 Jul 23 12:02 /tmp/bind/Kexample.+008+46747.private
And is certainly active:
% cat /tmp/bind/Kexample.+008+46747.key
; This is a key-signing key, keyid 46747, for example.
; Created: 20130723100005 (Tue Jul 23 12:00:05 2013)
; Publish: 20130723100005 (Tue Jul 23 12:00:05 2013)
; Activate: 20130723070226 (Tue Jul 23 09:02:26 2013)
...
And, despite the message "retaining signatures", signatures *are*
regenerated periodically, even after the warning:
example. 600 IN RRSIG DNSKEY 8 1 600 20130725045802 (
20130724043925 46747 example.
rkNJdCp8PV3PzEsVc6efh/mBY3eHZcL3712ELD2g7gte
...
More information about the bind-users
mailing list