KSK stays published 3 days after delete time
Evan Hunt
each at isc.org
Thu May 10 21:52:51 UTC 2012
> > key 22924 of framail.de has a delete date of 2012-05-07T14:55:02 set.
> > It has been deleted from the repository at 2012-05-07T14:55:02.569706,
> > but is still included by named 9.9.0 in the zone framail.de
> > (as of 2012-05-10T19:51:32).
>
> To clarify: I'm using inline-signing.
> The repository is the key-directory configured in named.conf.
> "Deleted" means: My script deleted it.
Named won't delete the key from the zone unless you explicitly tell
it to do so. For all it knows, your key file may have been removed
by mistake.
The correct way to remove a key from your zone is to schedule it
for deletion. If it already has a successor published, then you can
schedule the event immediately:
$ dnssec-settime -K <repository-path> -D now Kframail.de.+007+13245
$ rndc loadkeys framail.de
The -D option says "the key should be deleted after the specified
time", which in this case is "now". "rndc loadkeys" tells named to
examine the keys in the repository and note any changes to the scheduled
events. named will see that the specified KSK is scheduled for deletion,
it will remove it from the DNSKEY RRset, and it will resign the DNSKEY
RRset wth the remaining key(s).
After that's happened, you can remove the key file from the repository
if you wish.
If you still have a copy of the key file, put it back and follow the
above steps. Otherwise, I suggest resigning the zone from scratch
with the remaining keys. (Update the SOA serial number in the unsigned
zonefile to something higher than the current serial number in the
signed zone; move <file>.signed and <file>.signed.jnl to some other
location; restart named. A new signed zone should be generated with
the correct keyset.)
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list