Testing RFC 5011 key roll
Edward Lewis
edward.lewis at icann.org
Mon Apr 20 19:41:23 UTC 2015
Thanks. rm'd the file and added the timers. (I did that also after
sending, so it is the deleting the old file that did the trick.) The
start-up lines look good.
Got an AD bit again too.
(I may have a few more issues as I move this off a laptop on to a regular
machine. Right now it helps knowing where the loose bits are stored.)
On 4/20/15, 15:12, "Evan Hunt" <each at isc.org> wrote:
>On Mon, Apr 20, 2015 at 06:42:42PM +0000, Edward Lewis wrote:
>> Being that I'm working on a laptop (hence on on over the weekend) I've
>>had
>> to recreate the environment today. I'm a bit more puzzled now.
>
>There's a separate file that named creates to keep the current
>managed keys state information -- it's based on the view name,
>so in your case it'll be "recursive.mkeys" (and possibly
>"recursive.mkeys.jnl"). I suspect it still has the key from
>Friday in it, and that's messing things up. Delete that file and
>reinitialize, then leave the server up and running (not forgetting
>to use -T mkeytimers=H/D/M, where M is no more than 3600 seconds,
>because keyroll.systems rolls its keys every hour and normal RFC
>5011 processing can't handle that), and you should be in good shape.
>
>--
>Evan Hunt -- each at isc.org
>Internet Systems Consortium, Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4604 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150420/fd0f5b8f/attachment.bin>
More information about the bind-users
mailing list