inactivating and deleting DNSSEC keys
David Newman
dnewman at networktest.com
Tue Oct 8 23:01:08 UTC 2013
On 10/8/13 3:51 PM, Alan Clegg wrote:
>
> On Oct 8, 2013, at 6:42 PM, David Newman <dnewman at networktest.com>
> wrote:
>
>> bind 9.9.4
>>
>> How to troubleshoot issues when keys are supposed to be
>> invalidated or deleted on specific dates, but aren't?
>>
>> In this case, a KSK was supposed to be inactivated on 29
>> September 2013 and deleted on 9 October 2013.
>>
>> From the .key file:
>>
>> ; This is a key-signing key, keyid 56989, for networktest.com. ;
>> Created: 20130723214837 (Tue Jul 23 14:48:37 2013) ; Publish:
>> 20130723214837 (Tue Jul 23 14:48:37 2013) ; Activate:
>> 20130723214837 (Tue Jul 23 14:48:37 2013) ; Inactive:
>> 20130929201510 (Sun Sep 29 13:15:10 2013) ; Delete:
>> 20131009201510 (Wed Oct 9 13:15:10 2013)
>>
>> Problem is, dig says the key is still active, and will be until
>> 29 October 2013:
>>
>> $ dig networktest.com @localhost +multi rrsig | grep 56989
>> 20131029191450 20130929181450 56989 networktest.com.
>
> You don't provide all of the record. It's an RRSIG that is still
> within it's lifetime.
>
> Do a dig for "DNSKEY" retype at the zone name and see what you
> get back.
I think this is what you're asking for, but if not please let me know.
Thanks.
dn
$ dig networktest.com @localhost +multi dnskey
; <<>> DiG 9.9.4 <<>> networktest.com @localhost +multi dnskey
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11568
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;networktest.com. IN DNSKEY
;; ANSWER SECTION:
networktest.com. 3600 IN DNSKEY 256 3 8 (
AwEAAc/YdGPWOi57E4yj6bYw55o9XXYP2V8xNhRFBtQM
6iGLrf+OHzIpA2ffPhL8CHOZxkH6nIKNDzQ9sWnih1O4
BDSI062F8AextdeA2V0cLin43y3YDL0LK8SFaNMPKdwR
hAD3KIXtbvZRFBU1iUEUoRy6ZpO8K0HRSyQgYa5SdqP5
) ; ZSK; alg = RSASHA256; key id = 16788
networktest.com. 3600 IN DNSKEY 257 3 8 (
AwEAAdAmmvkvbIIRoq48aqHToIIcGKImBoKdqUyslOyM
rRH5mxN7o0wc50ib2g6E+EtBWCn3UqrqpGcru1ZHkDoJ
eCf2JbSKViOJPRWgAx1JfVFwO6eL4lDcMGb6OF0OxPCc
9OMkUo6B/76fORJgelbpqKscHAYCo92npR+XpZMoj/Gj
S3sDn8k62eIXkbAFOXQuuGFVfQ0chKSv0QctlcnsTHkF
NRmjwVjN5xYPy0kn0bXVCC8Iiah2RqQAdV4jij2c4iM7
STwlnKYBWslQZGWi8LQgjLgUNOvh0dfWdLCYiQR7WwPf
W5Y2RxgvZ3SmG1+ntX5ps+VU7jKzXnDiPWwKp9M=
) ; KSK; alg = RSASHA256; key id = 56989
networktest.com. 3600 IN DNSKEY 256 3 8 (
AwEAAdPqBf8AF3+QQAP2olQA7vCDieElo65jyWdphIuI
T2Awiwd07a83gXgL9Ezp16b8miO1eOSBOUB+0fmBSI6h
IWCyFNAuh2+P5eCCD+gJq/u2y+ItnyaKZNEFjXF8YJWl
NoLtmf48xJv9QyepbZ4hLqBlIMf//NdNc8lDyXc/iRRV
) ; ZSK; alg = RSASHA256; key id = 30795
networktest.com. 3600 IN DNSKEY 257 3 8 (
AwEAAceMN3Aad/ups4QFO2JmO7cww1kx5DBQwbouQ/iC
H5M+zAfo7XddkJZkVp5A9ZKhSqf982r0En3i1lQrNESE
1ZlWPnDwW8ygBySBORkmNPqLRZG28sBaut2B6n31laWi
1mj1m6U9NNrAiQG2M19IRlaTCcO6Ud7usMyhPogKcE/3
5TjuoMv5nzI/hirzOWhOi4F9gRe8UlsVk8q1gWoWDlL5
oGAIT3VguW3Ifaa9Ywy2BWTy0qSJ6IlMuLtqT+GbJrc+
qvG9/symJYbcwAKz2Ai0Yuiwhmi6E587wsLV/HZkryMR
3GMU/6Nt0H4dyhlwCaK4y9StedVmJwHIwI0HSDE=
) ; KSK; alg = RSASHA256; key id = 20362
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Oct 08 15:58:15 PDT 2013
;; MSG SIZE rcvd: 892
>
> AlanC
>
More information about the bind-users
mailing list