DNSSEC Next key event
Per-Olof Axelsson
Per-Olof.Axelsson at hb.se
Thu Jan 5 11:00:51 UTC 2012
Hi,
I have a question about DNSSEC and "Next key event".
I have created 4 keys (ZSK) in advance. Every key has an active period
of 3 month and are published 3 days before
activation time and inactivated 3 days after.
I have set the following options in named.conf
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
key-directory "/var/named/dyn/keys";
.
.
zone "domain.com" {
type master;
file "dyn/zone.domain.com";
update-policy local;
auto-dnssec maintain;
};
In earlier version of BIND (9.8.0-P4) I would see the following
messages in /var/log/messages when I reloaded BIND.
--------------------------------------------------------------------------------------------
Dec 28 14:04:38 mumin named[18046]: zone domain.com/IN: next key event:
25-Feb-2012 13:30:00.000
--------------------------------------------------------------------------------------------
The date and time for the next key event, in this case, would be the
publication time for the next key.
Now, in BIND version 9.8.1-P1, the following is reported in the
logfile.
------------------------------------------------------------------------------------------
Jan 5 07:39:33 mumin named[2320]: zone domain.com/IN: next key event:
05-Jan-2012 08:39:33.840
Jan 5 08:39:33 mumin named[2320]: zone domain.com/IN: next key event:
05-Jan-2012 09:39:33.842
Jan 5 09:39:33 mumin named[2320]: zone domain.com/IN: next key event:
05-Jan-2012 10:39:33.845
------------------------------------------------------------------------------------------
Next key event is every next hour and NOT when the "real" key change
occur.
Is this correct?
--------
Per-Olof Axelsson
IT-Department
University of Borås, Sweden
More information about the bind-users
mailing list