bind 9.10-P2 dnssec keys management
Mark Andrews
marka at isc.org
Fri Aug 8 03:49:38 UTC 2014
Please FIX your email client. It really stuffs up the text/plain by adding
in additional lines.
In message <102153BEF555E7489CA5D54165C431A3013015DC at exchbsi02.ttt.co.th>, "Jit
tinan Suwanruengsri" writes:
>
> Hi,
>
> 1. my server use key id 23412 first and then 40767
>
>
>
> [root at dnssec keys]# dnssec-settime -p all Kexample.com.+005+23412
>
> Created: Wed Jul 30 14:56:09 2014
>
> Publish: Wed Jul 30 14:56:09 2014
>
> Activate: Fri Aug 1 14:56:09 2014
>
> Revoke: UNSET
>
> Inactive: Sun Aug 31 14:56:09 2014
>
> Delete: Mon Sep 1 14:56:09 2014
>
> [root at dnssec keys]# dnssec-settime -p all Kexample.com.+005+40767
>
> Created: Thu Aug 7 15:59:03 2014
>
> Publish: Fri Aug 29 14:56:09 2014
>
> Activate: Sun Aug 31 14:56:09 2014
>
> Revoke: UNSET
>
> Inactive: Tue Sep 30 14:56:09 2014
>
> Delete: Wed Oct 1 14:56:09 2014
>
>
>
> 2. In order to test changing a new ZSK,I set the OS clock to be
> future time at Aug 31 14:56:08 2014..Now it is Aug 7 2014. Then I wait
> 2-3 secs to ensure that bind activate new ZSK id 40767 and inactivate
> old ZSK id 23412.
>
> 3. I use dig to check whether bind activate new key correctly or
> not but I notice there is some dns records which are signed by new key
> and some dns records are signed by old key. In therory,After new ZSK is
> activated.All dns records must be signed with new key.
No. Once a key is activated it will be used to sign rrsets as they
fall due for re-signing. Named does NOT walk the zone and re-sign
every rrset.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list