inactivating and deleting DNSSEC keys

[David Newman]

bind 9.9.4

How to troubleshoot issues when keys are supposed to be invalidated or
deleted on specific dates, but aren't?

In this case, a KSK was supposed to be inactivated on 29 September 2013
and deleted on 9 October 2013.

>From the .key file:

; This is a key-signing key, keyid 56989, for networktest.com.
; Created: 20130723214837 (Tue Jul 23 14:48:37 2013)
; Publish: 20130723214837 (Tue Jul 23 14:48:37 2013)
; Activate: 20130723214837 (Tue Jul 23 14:48:37 2013)
; Inactive: 20130929201510 (Sun Sep 29 13:15:10 2013)
; Delete: 20131009201510 (Wed Oct  9 13:15:10 2013)

Problem is, dig says the key is still active, and will be until 29
October 2013:

$ dig networktest.com @localhost +multi rrsig | grep 56989
				
20131029191450 20130929181450 56989 networktest.com.

named.conf has this:

options {
        ..
	// DNSSEC stuff
        managed-keys-directory "managed-keys";
        dnssec-enable yes;
        dnssec-validation auto;
}

..

zone "networktest.com" {
        type master;
	..
        key-directory "managed-keys/networktest.com";
        inline-signing yes;
        auto-dnssec maintain;
};

$ ls -l managed-keys/networktest.com/ | grep 56989
-rw-r-----  1 bind  bind   719 Jul 31 13:15 Knetworktest.com.+008+56989.key
-rw-------  1 bind  bind  1824 Jul 31 13:15
Knetworktest.com.+008+56989.private

I don't understand the disconnect between the configured inactive/delete
times and the ones returned by dig, and presume this is because I've
misconfigured something.

Thanks in advance for troubleshooting clues.

dn