inactivating and deleting DNSSEC keys
Mark Andrews
marka at isc.org
Wed Oct 9 00:54:33 UTC 2013
In message <52548A5D.3070208 at networktest.com>, David Newman writes:
> bind 9.9.4
>
> How to troubleshoot issues when keys are supposed to be invalidated or
> deleted on specific dates, but aren't?
>
> In this case, a KSK was supposed to be inactivated on 29 September 2013
> and deleted on 9 October 2013.
>
> >From the .key file:
>
> ; This is a key-signing key, keyid 56989, for networktest.com.
> ; Created: 20130723214837 (Tue Jul 23 14:48:37 2013)
> ; Publish: 20130723214837 (Tue Jul 23 14:48:37 2013)
> ; Activate: 20130723214837 (Tue Jul 23 14:48:37 2013)
> ; Inactive: 20130929201510 (Sun Sep 29 13:15:10 2013)
> ; Delete: 20131009201510 (Wed Oct 9 13:15:10 2013)
>
> Problem is, dig says the key is still active, and will be until 29
> October 2013:
Named stopped SIGNING with this record on October 29.
Inception (20130929181450) is over a hour (clock skew allowance)
before the Inactivation (20130929201510) time.
The RRSIG will be replaced when the record is due to be re-signed
which is based on the sig-validity-interval.
I would be extending the deletion date to 30 days (sig-validity-interval)
after the inactivation date.
Mark
> $ dig networktest.com @localhost +multi rrsig | grep 56989
>
> 20131029191450 20130929181450 56989 networktest.com.
>
> named.conf has this:
>
> options {
> ..
> // DNSSEC stuff
> managed-keys-directory "managed-keys";
> dnssec-enable yes;
> dnssec-validation auto;
> }
>
> ..
>
> zone "networktest.com" {
> type master;
> ..
> key-directory "managed-keys/networktest.com";
> inline-signing yes;
> auto-dnssec maintain;
> };
>
> $ ls -l managed-keys/networktest.com/ | grep 56989
> -rw-r----- 1 bind bind 719 Jul 31 13:15 Knetworktest.com.+008+56989.key
> -rw------- 1 bind bind 1824 Jul 31 13:15
> Knetworktest.com.+008+56989.private
>
> I don't understand the disconnect between the configured inactive/delete
> times and the ones returned by dig, and presume this is because I've
> misconfigured something.
>
> Thanks in advance for troubleshooting clues.
>
> dn
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list