DNSSEC: Why aren't the old keys going hidden?
Larry Rosenman
ler at lerctr.org
Sun May 1 20:51:46 UTC 2022
I have 2 domains where I switched from Alg 8 to Alg 13, but the old keys
don't seem to be going away.
Attached are the state files, and the rndc dnssec -status outputs.
Ideas?
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 E-Mail: ler at lerctr.org
US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106
-------------- next part --------------
dnssec-policy: ler2
current time: Sun May 1 15:49:25 2022
key: 22146 (RSASHA256), ZSK
published: yes - since Sun Apr 10 13:59:22 2022
zone signing: yes - since Sun Apr 10 13:59:22 2022
Rollover is due since Mon Apr 25 09:30:37 2022
- goal: hidden
- dnskey: omnipresent
- zone rrsig: omnipresent
key: 29251 (ECDSAP256SHA256), KSK
published: yes - since Sat Apr 16 21:41:31 2022
key signing: yes - since Sat Apr 16 21:41:31 2022
No rollover scheduled
- goal: omnipresent
- dnskey: omnipresent
- ds: omnipresent
- key rrsig: omnipresent
key: 17471 (RSASHA256), KSK
published: yes - since Sun Apr 10 13:59:22 2022
key signing: yes - since Sun Apr 10 13:59:22 2022
Rollover is due since Mon Apr 25 11:35:57 2022
- goal: hidden
- dnskey: omnipresent
- ds: unretentive
- key rrsig: omnipresent
key: 17274 (ECDSAP256SHA256), ZSK
published: yes - since Sat Apr 16 21:41:31 2022
zone signing: yes - since Sat Apr 16 21:41:31 2022
Next rollover scheduled on Fri Jul 15 19:36:31 2022
- goal: omnipresent
- dnskey: omnipresent
- zone rrsig: omnipresent
-------------- next part --------------
dnssec-policy: ler2
current time: Sun May 1 15:48:59 2022
key: 43159 (ECDSAP256SHA256), KSK
published: yes - since Sat Apr 16 21:41:31 2022
key signing: yes - since Sat Apr 16 21:41:31 2022
Rollover is due since Mon Apr 25 13:41:36 2022
- goal: hidden
- dnskey: omnipresent
- ds: unretentive
- key rrsig: omnipresent
key: 12796 (RSASHA256), KSK
published: yes - since Sun Apr 10 13:59:22 2022
key signing: yes - since Sun Apr 10 13:59:22 2022
Rollover is due since Mon Apr 25 11:36:50 2022
- goal: hidden
- dnskey: omnipresent
- ds: unretentive
- key rrsig: omnipresent
key: 39581 (ECDSAP256SHA256), KSK
published: yes - since Mon Apr 25 09:31:36 2022
key signing: yes - since Mon Apr 25 09:31:36 2022
No rollover scheduled
- goal: omnipresent
- dnskey: omnipresent
- ds: rumoured
- key rrsig: omnipresent
key: 5844 (RSASHA256), ZSK
published: yes - since Sun Apr 10 13:59:22 2022
zone signing: yes - since Sun Apr 10 13:59:22 2022
Rollover is due since Wed Apr 27 10:54:16 2022
- goal: hidden
- dnskey: omnipresent
- zone rrsig: omnipresent
key: 3879 (ECDSAP256SHA256), ZSK
published: yes - since Sat Apr 16 21:41:31 2022
zone signing: yes - since Sat Apr 16 21:41:31 2022
Next rollover scheduled on Fri Jul 15 19:36:31 2022
- goal: omnipresent
- dnskey: omnipresent
- zone rrsig: omnipresent
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bind-keys-issue.tar.gz
Type: application/gzip
Size: 1093 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220501/8550a025/attachment.gz>
More information about the bind-users
mailing list