dnssec-coverage - ignore coverage gaps in the distant past
Graham Clinch
g.clinch at lancaster.ac.uk
Tue Jun 24 10:26:43 UTC 2014
Hi folks,
Summary: Is there a trick to running dnssec-coverage so that it will not
report failure if there are coverage gaps in the 'distant' past?
Detail:
I've performed a key rollover, and dnssec-coverage reports:
===
PHASE 1--Loading keys to check for internal timing problems
PHASE 2--Scanning future key events for coverage failures
Checking scheduled KSK events for zone palatine.ac.uk, algorithm
RSASHA256...
Thu Apr 24 08:56:09 UTC 2014:
Publish: palatine.ac.uk/008/04681 (KSK)
Activate: palatine.ac.uk/008/04681 (KSK)
Thu May 01 15:02:35 UTC 2014:
Publish: palatine.ac.uk/008/37960 (KSK)
Sat May 31 15:02:35 UTC 2014:
Activate: palatine.ac.uk/008/37960 (KSK)
Inactive: palatine.ac.uk/008/04681 (KSK)
Sun Jun 29 15:02:35 UTC 2014:
Delete: palatine.ac.uk/008/04681 (KSK)
No errors found
Checking scheduled ZSK events for zone palatine.ac.uk, algorithm
RSASHA256...
Thu Apr 24 08:56:38 UTC 2014:
Publish: palatine.ac.uk/008/27594 (ZSK)
Activate: palatine.ac.uk/008/27594 (ZSK)
Wed May 07 11:36:59 UTC 2014:
Publish: palatine.ac.uk/008/30231 (ZSK)
Thu May 08 11:36:59 UTC 2014:
Inactive: palatine.ac.uk/008/27594 (ZSK)
Activate: palatine.ac.uk/008/30231 (ZSK)
Thu Jun 05 11:36:59 UTC 2014:
Delete: palatine.ac.uk/008/27594 (ZSK)
No errors found
===
As the ZSK palatine.ac.uk/008/27594 has been deleted from the zone, I'd
like to simplify the key directory by removing the now unused key
material. When I do so, named continues happily (the zone is
inline-signed), and there are no warnings when it rescans the key directory.
However, dnssec-coverage now complains:
===
PHASE 1--Loading keys to check for internal timing problems
PHASE 2--Scanning future key events for coverage failures
Checking scheduled KSK events for zone palatine.ac.uk, algorithm
RSASHA256...
Thu Apr 24 08:56:09 UTC 2014:
Publish: palatine.ac.uk/008/04681 (KSK)
Activate: palatine.ac.uk/008/04681 (KSK)
Thu May 01 15:02:35 UTC 2014:
Publish: palatine.ac.uk/008/37960 (KSK)
Sat May 31 15:02:35 UTC 2014:
Activate: palatine.ac.uk/008/37960 (KSK)
Inactive: palatine.ac.uk/008/04681 (KSK)
Sun Jun 29 15:02:35 UTC 2014:
Delete: palatine.ac.uk/008/04681 (KSK)
No errors found
Checking scheduled ZSK events for zone palatine.ac.uk, algorithm
RSASHA256...
Wed May 07 11:36:59 UTC 2014:
Publish: palatine.ac.uk/008/30231 (ZSK)
ERROR: No ZSK's are active after this event
===
If dnssec-coverage continued processing and got to May the 8th, it
(should) find that the key became active.
Is there a trick to ask dnssec-coverage to ignore gaps in the distant (>
TTL?) past, or do I need to keep all of the keys ever used on the zone
in the key directory, if I wish to use dnssec-coverage?
Graham
--
Graham Clinch
Systems Programmer,
Lancaster University
More information about the bind-users
mailing list