"auto-dnssec maintain" stoped working again...

Michelle Konzack linux4michelle at tamay-dogan.net
Sun Oct 2 16:12:56 UTC 2011 

Hello Hauke Lampe,

Am 2011-10-01 02:02:56, hacktest Du folgendes herunter:
> Do you mean expired signatures or no signatures at all?

I have expired signatures...

> In the latter case, have you checked that the zone's keys are readable
> by named and still active?

Ehm yes

root at dns1 /etc/bind # ls -Al /etc/bind/master/net/tamay-dogan/*tamay-dogan*
-rw-r--r-- 1 bind adm  502 Oct  2 18:01 /etc/bind/master/net/tamay-dogan/KSK_Kintranet1.tamay-dogan.net.+005+12154.key
-rw------- 1 bind adm 1.2K Oct  2 18:01 /etc/bind/master/net/tamay-dogan/KSK_Kintranet1.tamay-dogan.net.+005+12154.private
-rw-r--r-- 1 bind adm  502 Oct  2 18:01 /etc/bind/master/net/tamay-dogan/KSK_Kintranet2.tamay-dogan.net.+005+45271.key
-rw------- 1 bind adm 1.2K Oct  2 18:01 /etc/bind/master/net/tamay-dogan/KSK_Kintranet2.tamay-dogan.net.+005+45271.private
-rw-rw-r-- 1 bind adm 2.2K Jul  3 17:10 /etc/bind/master/net/tamay-dogan/net.tamay-dogan
-rw-rw-r-- 1 bind adm  249 Jun 17 22:33 /etc/bind/master/net/tamay-dogan/net.tamay-dogan.conf
-rw-r--r-- 1 bind adm  256 Jul  3 17:10 /etc/bind/master/net/tamay-dogan/net.tamay-dogan.conf.signed
-rw-rw-r-- 1 bind adm 1.1K Oct  2 18:01 /etc/bind/master/net/tamay-dogan/net.tamay-dogan.intranet1
-rw-rw-r-- 1 bind adm  238 Oct  2 17:59 /etc/bind/master/net/tamay-dogan/net.tamay-dogan.intranet1.conf
-rw-r--r-- 1 bind adm  245 Oct  2 18:01 /etc/bind/master/net/tamay-dogan/net.tamay-dogan.intranet1.conf.signed
-rw-r--r-- 1 bind adm  13K Oct  2 18:01 /etc/bind/master/net/tamay-dogan/net.tamay-dogan.intranet1.signed
-rw-rw-r-- 1 bind adm  798 Oct  2 18:01 /etc/bind/master/net/tamay-dogan/net.tamay-dogan.intranet2
-rw-rw-r-- 1 bind adm  238 Oct  2 17:59 /etc/bind/master/net/tamay-dogan/net.tamay-dogan.intranet2.conf
-rw-r--r-- 1 bind adm  245 Oct  2 18:01 /etc/bind/master/net/tamay-dogan/net.tamay-dogan.intranet2.conf.signed
-rw-r--r-- 1 bind adm 8.2K Oct  2 18:01 /etc/bind/master/net/tamay-dogan/net.tamay-dogan.intranet2.signed
-rw-r--r-- 1 bind adm 7.1K Jul 26 04:22 /etc/bind/master/net/tamay-dogan/net.tamay-dogan.signed
-rw-r--r-- 1 bind adm  15K Jul 26 04:10 /etc/bind/master/net/tamay-dogan/net.tamay-dogan.signed.jnl
-rw-r--r-- 1 bind adm  459 Oct  2 18:01 /etc/bind/master/net/tamay-dogan/ZSK_Kintranet1.tamay-dogan.net.+005+28905.key
-rw------- 1 bind adm 1010 Oct  2 18:01 /etc/bind/master/net/tamay-dogan/ZSK_Kintranet1.tamay-dogan.net.+005+28905.private
-rw-r--r-- 1 bind adm  459 Oct  2 18:01 /etc/bind/master/net/tamay-dogan/ZSK_Kintranet2.tamay-dogan.net.+005+36762.key
-rw------- 1 bind adm 1010 Oct  2 18:01 /etc/bind/master/net/tamay-dogan/ZSK_Kintranet2.tamay-dogan.net.+005+36762.private
-rw-r--r-- 1 bind adm  439 Jul  3 17:10 /etc/bind/master/net/tamay-dogan/ZSK_Ktamay-dogan.net.+005+30945.key
-rw------- 1 bind adm 1010 Jul  3 17:10 /etc/bind/master/net/tamay-dogan/ZSK_Ktamay-dogan.net.+005+30945.private

If I am right, this looks right.

> Try dnssec-settime -p all /path/to/keys/Kexample.com.+005+12345.key and
> look for "Activate:" and "Inactive:"

root at dns1 /etc/bind # dnssec-settime -p all /etc/bind/master/net/tamay-dogan/KSK_Ktamay-dogan.net.+005+12268.key
Created: Sun Jul  3 17:10:49 2011
Publish: Sun Jul  3 17:10:49 2011
Activate: Sun Jul  3 17:10:49 2011
Revoke: UNSET
Inactive: UNSET
Delete: UNSET

seems not very good...

root at dns1 /etc/bind # dnssec-settime -p all /etc/bind/master/net/tamay-dogan/KSK_Kintranet1.tamay-dogan.net.+005+12154.key
Created: Sun Oct  2 18:01:29 2011
Publish: Sun Oct  2 18:01:29 2011
Activate: Sun Oct  2 18:01:29 2011
Revoke: UNSET
Inactive: UNSET
Delete: UNSET
root at dns1 /etc/bind # dnssec-settime -p all /etc/bind/master/net/tamay-dogan/KSK_Kintranet2.tamay-dogan.net.+005+45271.key
Created: Sun Oct  2 18:01:34 2011
Publish: Sun Oct  2 18:01:34 2011
Activate: Sun Oct  2 18:01:34 2011
Revoke: UNSET
Inactive: UNSET
Delete: UNSET

I have added this two today...

> There have been a few bugfixes to automatic signing between 9.7.3 and
> 9.8. Maybe you hit one of those bugs.

Hmmm, i will ask the Debian Maintainers...

> Hauke.

Thanks, Greetings and nice Day/Evening
    Michelle Konzack

-- 
##################### Debian GNU/Linux Consultant ######################
   Development of Intranet and Embedded Systems with Debian GNU/Linux

itsystems at tdnet
Owner Michelle Konzack
                                    Tel: +49-176-86004575 office
Gewerbe Straße 3                    Tel: +49-177-9351947  mobil
77694 Kehl/Germany                  Tel: +33-6-61925193   mobil (France)

<http://www.itsystems.tamay-dogan.net/>  <http://www.flexray4linux.org/>
<http://www.debian.tamay-dogan.net/>         <http://www.can4linux.org/>

Jabber linux4michelle at jabber.ccc.de
ICQ    #328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.pgp
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20111002/e066b426/attachment.bin>

More information about the bind-users mailing list