9.9.1 continues to sign with inactive KSK
Axel Rau
Axel.Rau at chaos1.de
Fri May 25 11:59:33 UTC 2012
Hi all,
there is a KSK roll over running for framail.de.
Its a inline-signing maintain configuration, upgraded fron 9.9.0.
The tags of the KSKs with their dates are (set with dnssec-settime):
---
[framail.de/KSK/1699/8(A:2012-05-23T17:55:02, I:2012-05-27T17:55:02, D:2012-05-28T17:55:02)]
[framail.de/KSK/46210/8(A:2012-05-20T16:55:03, I:2012-05-24T16:55:03, D:2012-05-25T16:55:03)]
---
46210 is inactive and still used to sign DNSKEYs (from dig +dnssec DNSKEY framail.de. at 2012-05-25T13:55) :
---
framail.de. 86400 IN RRSIG DNSKEY 8 2 86400 20120622185603 20120523175603 46210 framail.de...
framail.de. 86400 IN RRSIG DNSKEY 8 2 86400 20120623175502 20120524165502 1699 framail.de...
---
Shouln't named have ceased signing keys with this key?
Axel
---
PGP-Key:29E99DD6 ☀ +49 151 2300 9283 ☀ computing @ chaos claudius
More information about the bind-users
mailing list