inactivating and deleting DNSSEC keys

Tue Oct 8 23:01:08 UTC 2013

On 10/8/13 3:51 PM, Alan Clegg wrote:
> 
> On Oct 8, 2013, at 6:42 PM, David Newman <dnewman at networktest.com> 
> wrote:
> 
>> bind 9.9.4
>> 
>> How to troubleshoot issues when keys are supposed to be 
>> invalidated or deleted on specific dates, but aren't?
>> 
>> In this case, a KSK was supposed to be inactivated on 29 
>> September 2013 and deleted on 9 October 2013.
>> 
>> From the .key file:
>> 
>> ; This is a key-signing key, keyid 56989, for networktest.com. ; 
>> Created: 20130723214837 (Tue Jul 23 14:48:37 2013) ; Publish: 
>> 20130723214837 (Tue Jul 23 14:48:37 2013) ; Activate: 
>> 20130723214837 (Tue Jul 23 14:48:37 2013) ; Inactive: 
>> 20130929201510 (Sun Sep 29 13:15:10 2013) ; Delete: 
>> 20131009201510 (Wed Oct  9 13:15:10 2013)
>> 
>> Problem is, dig says the key is still active, and will be until 
>> 29 October 2013:
>> 
>> $ dig networktest.com @localhost +multi rrsig | grep 56989 
>> 20131029191450 20130929181450 56989 networktest.com.
> 
> You don't provide all of the record.  It's an RRSIG that is still 
> within it's lifetime.
> 
> Do a dig for "DNSKEY" retype at the zone name and see what you
> get back.

I think this is what you're asking for, but if not please let me know.
Thanks.

dn

$ dig networktest.com @localhost +multi dnskey

; <<>> DiG 9.9.4 <<>> networktest.com @localhost +multi dnskey
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11568
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;networktest.com.	IN DNSKEY

;; ANSWER SECTION:
networktest.com.	3600 IN	DNSKEY 256 3 8 (
				AwEAAc/YdGPWOi57E4yj6bYw55o9XXYP2V8xNhRFBtQM
				6iGLrf+OHzIpA2ffPhL8CHOZxkH6nIKNDzQ9sWnih1O4
				BDSI062F8AextdeA2V0cLin43y3YDL0LK8SFaNMPKdwR
				hAD3KIXtbvZRFBU1iUEUoRy6ZpO8K0HRSyQgYa5SdqP5
				) ; ZSK; alg = RSASHA256; key id = 16788
networktest.com.	3600 IN	DNSKEY 257 3 8 (
				AwEAAdAmmvkvbIIRoq48aqHToIIcGKImBoKdqUyslOyM
				rRH5mxN7o0wc50ib2g6E+EtBWCn3UqrqpGcru1ZHkDoJ
				eCf2JbSKViOJPRWgAx1JfVFwO6eL4lDcMGb6OF0OxPCc
				9OMkUo6B/76fORJgelbpqKscHAYCo92npR+XpZMoj/Gj
				S3sDn8k62eIXkbAFOXQuuGFVfQ0chKSv0QctlcnsTHkF
				NRmjwVjN5xYPy0kn0bXVCC8Iiah2RqQAdV4jij2c4iM7
				STwlnKYBWslQZGWi8LQgjLgUNOvh0dfWdLCYiQR7WwPf
				W5Y2RxgvZ3SmG1+ntX5ps+VU7jKzXnDiPWwKp9M=
				) ; KSK; alg = RSASHA256; key id = 56989
networktest.com.	3600 IN	DNSKEY 256 3 8 (
				AwEAAdPqBf8AF3+QQAP2olQA7vCDieElo65jyWdphIuI
				T2Awiwd07a83gXgL9Ezp16b8miO1eOSBOUB+0fmBSI6h
				IWCyFNAuh2+P5eCCD+gJq/u2y+ItnyaKZNEFjXF8YJWl
				NoLtmf48xJv9QyepbZ4hLqBlIMf//NdNc8lDyXc/iRRV
				) ; ZSK; alg = RSASHA256; key id = 30795
networktest.com.	3600 IN	DNSKEY 257 3 8 (
				AwEAAceMN3Aad/ups4QFO2JmO7cww1kx5DBQwbouQ/iC
				H5M+zAfo7XddkJZkVp5A9ZKhSqf982r0En3i1lQrNESE
				1ZlWPnDwW8ygBySBORkmNPqLRZG28sBaut2B6n31laWi
				1mj1m6U9NNrAiQG2M19IRlaTCcO6Ud7usMyhPogKcE/3
				5TjuoMv5nzI/hirzOWhOi4F9gRe8UlsVk8q1gWoWDlL5
				oGAIT3VguW3Ifaa9Ywy2BWTy0qSJ6IlMuLtqT+GbJrc+
				qvG9/symJYbcwAKz2Ai0Yuiwhmi6E587wsLV/HZkryMR
				3GMU/6Nt0H4dyhlwCaK4y9StedVmJwHIwI0HSDE=
				) ; KSK; alg = RSASHA256; key id = 20362

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Oct 08 15:58:15 PDT 2013
;; MSG SIZE  rcvd: 892

> 
> AlanC
> 