bind 9.10-P2 dnssec keys management
Jittinan Suwanruengsri
jittinans at ttt.co.th
Fri Aug 8 03:29:27 UTC 2014
Hi,
1. my server use key id 23412 first and then 40767
[root at dnssec keys]# dnssec-settime -p all Kexample.com.+005+23412
Created: Wed Jul 30 14:56:09 2014
Publish: Wed Jul 30 14:56:09 2014
Activate: Fri Aug 1 14:56:09 2014
Revoke: UNSET
Inactive: Sun Aug 31 14:56:09 2014
Delete: Mon Sep 1 14:56:09 2014
[root at dnssec keys]# dnssec-settime -p all Kexample.com.+005+40767
Created: Thu Aug 7 15:59:03 2014
Publish: Fri Aug 29 14:56:09 2014
Activate: Sun Aug 31 14:56:09 2014
Revoke: UNSET
Inactive: Tue Sep 30 14:56:09 2014
Delete: Wed Oct 1 14:56:09 2014
2. In order to test changing a new ZSK,I set the OS clock to be
future time at Aug 31 14:56:08 2014..Now it is Aug 7 2014. Then I wait
2-3 secs to ensure that bind activate new ZSK id 40767 and inactivate
old ZSK id 23412.
3. I use dig to check whether bind activate new key correctly or
not but I notice there is some dns records which are signed by new key
and some dns records are signed by old key. In therory,After new ZSK is
activated.All dns records must be signed with new key.
4. This is result.
[root at dnssec keys]# dig @10.10.10.203 example.com any +dnssec +multiline
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @10.10.10.203
example.com any +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5421
;; flags: qr aa rd; QUERY: 1, ANSWER: 15, AUTHORITY: 0, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;example.com. IN ANY
;; ANSWER SECTION:
example.com. 86400 IN RRSIG NS 5 2 86400 20140928075513 (
20140829070015 23412 example.com.
lggwXqqh5PwYcNFqjVQEPKuLoJANDzsLJ7pAFtgIF6wh
EMtxKFN+Y4SXx6O/OcHrGgxcwYRV+/yN3YHAj55sq0ax
sp3uBI0YvOrwrmQeqaIqeMynzafehrwTHLeMxTMkimlT
JakSvRLglpCtpNw0n2xUMkFo4MM6dN/0NzANSdw=
)
example.com. 86400 IN RRSIG NSEC 5 2 86400 20140928075513 (
20140829070015 23412 example.com.
PkgjBT8SE24O5gFktr6XncfoB/KHcW1chVvlDhiFtzS+
bagayzo5r8uzw0frlVSN3JEbxRJSVX/55uahgYuzhCj/
F/dfGnQ9PRn1+1DjhFTFO0IzHBqN0LmyAhbOTrwQMyrN
aJnckwAFAJoPOIA+N8dcT8rIT9jK/Bhdmi0+NRo=
)
example.com. 86400 IN NSEC ns.example.com. NS SOA RRSIG NSEC
DNSKEY TYPE65534
example.com. 86400 IN RRSIG SOA 5 2 86400 20140930075609 (
20140831065609 40767 example.com.
dA4v0mEU0stMci6TcwH3iWKc2iqgx/tt5fjfMdHqHSoG
XnzDMiQBxT7qucQ7ixN9ocaQUsCqCWgOgGL6SLW4/Qja
iIi78dvtlU2JKVNCC5qnJudn5MlUS1/VSToDY9CqKO4Z
BnrvlfvoRWJv/IlRqSXdG5taB8zvAw3drzaHO/E=
)
example.com. 0 IN RRSIG TYPE65534 5 2 0 20140928075513 (
20140829070015 23412 example.com.
ynK/o9xUhkLTxmfUMsUZ+Lroi9ov5n6p1X2adr0PsNbY
WQqG0qBQgzQqH6a6TDcCS/d8SFMJCl0duf8y4nlytDUV
6z2psdUNt6or8xPHTdCDPJKFLMxzFV8gpD5oxPLS3DeU
C27+SFEpCzKtgwjxGkHzZabNesK6WKSoPwQFvaw=
)
example.com. 86400 IN RRSIG DNSKEY 5 2 86400 20140930075609 (
20140831065609 5554 example.com.
Vb502xsTCsQDRMDt3/f5Q28XC9c908GGIZzgAP4jeHXa
hGdhXP/lVcZw38bJplw7t9ysgJyyeSzdULTAQbyMy+Fd
gTzjGqRz1elme1AkrguUHNmee/MvP1Sgkmj+UOENBaN/
ubqh9ywJcRsYK7RqfN1B6xLIyB8WDwcrpvroD8iwJmP1
CZYN+xrhvq/0ancfMUguLAHsfRh4ldxKZ4oy/NrkJJbp
3a2yO0O99D6RZQ== )
example.com. 86400 IN RRSIG DNSKEY 5 2 86400 20140930075609 (
20140831065609 40767 example.com.
dH6x9qaiE49/jMve7Uv7cOIYh6L4YPz9WEFydRv6euqQ
B7Zj4tX2aoruJxvupHn0hgzVyS4EtIfdsXTOOyLCxghl
j3//Gfv7Y+kf14hm+MCVIHqbpq9J2FHAHTK3WgTgMAXX
2SfYcrW676TQ1zWlpAUHKFPDwPwGB3CTzszu3vE=
)
example.com. 0 IN TYPE65534 \# 5 ( 059F3F0000 )
example.com. 0 IN TYPE65534 \# 5 ( 0515B20001 )
example.com. 0 IN TYPE65534 \# 5 ( 055B740001 )
example.com. 86400 IN DNSKEY 256 3 5 (
AwEAAaB5OP8VxbRihmF2d6woYO266+SFlGsj5xwcDiF2
ctMKazuasvGyCtkuqbfEJWYfyAumQlObAbKuuR59qoQo
hCSwmzXH67gUrKjhAQfQKFa2KmzrcVe+hyQtAVzWoHgK
ff7t8LgbESPwEqwgmvT97rxjyZHHFVkttXxXfZ+GkzZj
) ; key id = 40767
example.com. 86400 IN DNSKEY 256 3 5 (
AwEAAdz+HnGTt4MKPecTfEmTgdGLKT1AAFzub8vkmpSu
3J8phU4GHEXFl81I8klDIC2vMbgXRL4ZbOe1wBvK7tq+
i4m6YliYOm4rIiWX2lc7hh+pj2WI4h2KgHalUCjB4Zwf
U5vR4biVdCJ6p+JEvo7AJMDXyWUhJsLRqcpHDtao3Rn/
) ; key id = 23412
example.com. 86400 IN DNSKEY 257 3 5 (
AwEAAb2FS/90WOx0xXHkaYRth7DTvdeEoIhsWAsOx8TR
rdjwx7gtr5f/ZQvcnQM7FMzM8f18iBm51SclpipYeNMF
FRaYAp+mdqnHeO+B63q/E3+cBiKrmdVUyvJwuS8MzXuA
ZyVkPMr4U1EUJpONYD5nVmlc/RzexcGc9fj/PAzB4zbB
rwb7QRfJHzrWC/C+DMx14MqRdkGWPGYRU4YB4jt5Mq/8
LARkB3Q7Xn92//U8Zb8=
) ; key id = 5554
example.com. 86400 IN NS ns.example.com.
example.com. 86400 IN SOA ns.example.com.
hostmaster.example.com. (
2013122405 ; serial
86400 ; refresh (1 day)
7200 ; retry (2 hours)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
;; ADDITIONAL SECTION:
ns.example.com. 86400 IN A 10.10.10.203
ns.example.com. 86400 IN RRSIG A 5 3 86400 20140928075513 (
20140829070015 23412 example.com.
PcBkNi7e4qjCcUcug/bYBCjTG8HzEqOoY8rTUpRSDGbu
gA1MKJFGKzsPtFqFhvYlfqsymGxmEkUfOP6obvUudsKS
jcuEP9Xp+OeeWqm+pTrVXOk8tPV/yhtdMJdgRj+PGwkj
h/MbmJnKGXI/lT5odagacnFUidI5c1QFs+4DvLs=
)
;; Query time: 1 msec
;; SERVER: 10.10.10.203#53(10.10.10.203)
;; WHEN: Sun Aug 31 15:04:38 2014
;; MSG SIZE rcvd: 1974
5. Can anybody explain me what wrong with it? How to fix this
error?
Thank you
Jittinan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140808/7e0ef1c7/attachment-0001.html>
More information about the bind-users
mailing list