Bind seems to loose track of DNSSEC keys
Maurice Janssen
maurice at z74.net
Tue Oct 8 21:00:26 UTC 2013
On Tue, Oct 08, 2013 at 09:42:10AM +1100, Mark Andrews wrote:
>
>In message <52528314.4010809 at z74.net>, Maurice Janssen writes:
>> The problem is that after some time Bind seems to loose track of the
>> keys for most of the zones.
>> At this moment, only one of the zones is OK:
>>
>> # rndc signing -list z74.nl
>> Done signing with key 16845/RSASHA256
>> Done signing with key 37936/RSASHA256
>>
>> All other zones report:
>>
>> # rndc signing -list z74.net
>> No signing records found
>
>The "signing" records show the progress of the initial signing of
>the zone. The only reason they are not removed automatically is
>so that the operator can know when the zone is fully signed to start
>the timer for adding DS records to the parent zone. Named uses
>incremential signing which can take some time with really large
>zones. With small zones it takes seconds.
>
>These records are not required for named to continue to sign the
>zone. Named uses the RRSIG records combined with sig-validity-interval
>to workout what needs to be re-signed and when. It uses the DNSKEY
>records in the zone to look for the private keys.
>
>As for why they are disappearing, I suspect that we are just failing
>to preserve them at some point which is a minor bug that needs to
>be addressed. As long as the zone has completed signing there
>removal shouldn't cause problems.
OK, so it's mainly a cosmetic annoyance and will not affect resigning the
RRsets in the zone. That's good to know, thanks.
Maurice Janssen
More information about the bind-users
mailing list