inactivating and deleting DNSSEC keys

David Newman dnewman at networktest.com
Wed Oct 9 17:22:05 UTC 2013 


On 10/8/13 5:54 PM, Mark Andrews wrote:
> In message <52548A5D.3070208 at networktest.com>, David Newman writes:
>> bind 9.9.4
>>
>> How to troubleshoot issues when keys are supposed to be invalidated or
>> deleted on specific dates, but aren't?
>>
>> In this case, a KSK was supposed to be inactivated on 29 September 2013
>> and deleted on 9 October 2013.
>>
>> >From the .key file:
>>
>> ; This is a key-signing key, keyid 56989, for networktest.com.
>> ; Created: 20130723214837 (Tue Jul 23 14:48:37 2013)
>> ; Publish: 20130723214837 (Tue Jul 23 14:48:37 2013)
>> ; Activate: 20130723214837 (Tue Jul 23 14:48:37 2013)
>> ; Inactive: 20130929201510 (Sun Sep 29 13:15:10 2013)
>> ; Delete: 20131009201510 (Wed Oct  9 13:15:10 2013)
>>
>> Problem is, dig says the key is still active, and will be until 29
>> October 2013:
> 
> Named stopped SIGNING with this record on October 29.

Since this is in the future, I think you mean "will stop signing"?

> Inception (20130929181450) is over a hour (clock skew allowance)
> before the Inactivation (20130929201510) time.

OK, do I understand correctly that because the RRSIG got created just
before the inactivate date, it will live on for sig-validity-interval
(30 days in this case), regardless of the key's deletion date?

> 
> The RRSIG will be replaced when the record is due to be re-signed
> which is based on the sig-validity-interval.
> 
> I would be extending the deletion date to 30 days (sig-validity-interval)
> after the inactivation date.

Right, understood.

In UTC terms, we've already passed the key's deletion date. Can I
retroactively extend the key's deletion date?

Thanks

dn

> 
> Mark
> 
>> $ dig networktest.com @localhost +multi rrsig | grep 56989
>> 				
>> 20131029191450 20130929181450 56989 networktest.com.
>>
>> named.conf has this:
>>
>> options {
>>         ..
>> 	// DNSSEC stuff
>>         managed-keys-directory "managed-keys";
>>         dnssec-enable yes;
>>         dnssec-validation auto;
>> }
>>
>> ..
>>
>> zone "networktest.com" {
>>         type master;
>> 	..
>>         key-directory "managed-keys/networktest.com";
>>         inline-signing yes;
>>         auto-dnssec maintain;
>> };
>>
>> $ ls -l managed-keys/networktest.com/ | grep 56989
>> -rw-r-----  1 bind  bind   719 Jul 31 13:15 Knetworktest.com.+008+56989.key
>> -rw-------  1 bind  bind  1824 Jul 31 13:15
>> Knetworktest.com.+008+56989.private
>>
>> I don't understand the disconnect between the configured inactive/delete
>> times and the ones returned by dig, and presume this is because I've
>> misconfigured something.
>>
>> Thanks in advance for troubleshooting clues.
>>
>> dn
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>>  from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list