dnssec automatic signing
Jittinan Suwanruengsri
jittinans at ttt.co.th
Thu Aug 28 07:48:11 UTC 2014
Hi,
This is example.com zone
$ORIGIN .
$TTL 86400 ; 1 day
example.com 86400 IN SOA ns.example.com. hostmaster.example.com.
(
2013122402 ; serial
86400 ; refresh (1 day)
7200 ; retry (2 hours)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
86400 NS ns.example.com.
$ORIGIN example.com.
ns 86400 A 10.10.10.10
sub 86400 NS ns.sub
86400 DS 19264 8 1 (
EA38AD65596500B2D6A4BC04478FFD5C13FF7600
)
86400 DS 19264 8 2 (
A68BF3856CA9AF1A669EA10DEC8BA72E174108EEB5AA
D1CF5A3C919E5AB9B60B )
86400 DS 36579 7 1 (
83F190FDEBF79DFEC93571D2C06240834C059414
)
86400 DS 36579 7 2 (
EAFB90C1EB610CF566EC677A381D5F9DCAFB8B0E2B6D
C78A7788E501D523187C )
$ORIGIN sub.example.com.
ns 86400 A 10.10.10.11
$ORIGIN example.com.
www 86400 A 2.2.2.2
This is zones status
1.
[root at dnssec zone]# /opt/bind-9.10.0-P2/sbin/rndc -c
/opt/bind-9.10.0-P2/etc/named-sld-rndc.conf -s 10.10.10.10 zonestatus
example.com
name: example.com
type: master
files: /usr/local/named/zone/example.com.zone
serial: 2013122402
signed serial: 2013122402
nodes: 5
last loaded: Wed, 30 Jul 2014 17:00:34 GMT
secure: no
key maintenance: automatic
next key event: Wed, 30 Jul 2014 18:00:34 GMT
dynamic: yes
frozen: no
2.
[root at dnssec keys]# /opt/bind-9.10.0-P2/sbin/rndc -c
/opt/bind-9.10.0-P2/etc/named-sld-rndc.conf -s 10.10.10.10 zonestatus
example.com
name: example.com
type: master
files: /usr/local/named/zone/example.com.zone
serial: 2013122402
signed serial: 2013122404
nodes: 5
last loaded: Wed, 30 Jul 2014 17:00:34 GMT
secure: yes
inline signing: yes
key maintenance: automatic
next key event: Fri, 01 Aug 2014 02:00:00 GMT
next resign node: ns.example.com/NSEC
next resign time: Sat, 23 Aug 2014 12:30:46 GMT
dynamic: yes
frozen: no
3.
[root at dnssec zone]# /opt/bind-9.10.0-P2/sbin/rndc -c
/opt/bind-9.10.0-P2/etc/named-sld-rndc.conf -s 10.10.10.10 zonestatus
example.com
name: example.com
type: master
files: /usr/local/named/zone/example.com.zone
serial: 2013122402
signed serial: 2013122405
nodes: 5
last loaded: Wed, 30 Jul 2014 17:00:34 GMT
secure: yes
inline signing: yes
key maintenance: automatic
next key event: Sat, 23 Aug 2014 13:30:46 GMT
next resign node: example.com/DNSKEY
next resign time: Sat, 23 Aug 2014 13:00:00 GMT
dynamic: yes
frozen: no
4.
[root at dnssec zone]# /opt/bind-9.10.0-P2/sbin/rndc -c
/opt/bind-9.10.0-P2/etc/named-sld-rndc.conf -s 10.10.10.10 zonestatus
example.com
name: example.com
type: master
files: /usr/local/named/zone/example.com.zone
serial: 2013122402
signed serial: 2013122406
nodes: 5
last loaded: Wed, 30 Jul 2014 17:00:34 GMT
secure: yes
inline signing: yes
key maintenance: automatic
next key event: Sat, 23 Aug 2014 13:30:46 GMT
next resign node: ns.example.com/NSEC
next resign time: Mon, 15 Sep 2014 00:10:11 GMT
dynamic: yes
frozen: no
I notice that next resign node are only
ns.example.com/NSEC, example.com/DNSKEY but actually, in example.com
there are 5 nodes.
How dose bind choose a next resign node? What algorithm is it?
Thank you
Jittinan Suwanrueangsri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140828/ca5c46ac/attachment.html>
More information about the bind-users
mailing list