dnssec-coverage - ignore coverage gaps in the distant past

Graham Clinch g.clinch at lancaster.ac.uk
Tue Jun 24 10:26:43 UTC 2014 

Hi folks,

Summary: Is there a trick to running dnssec-coverage so that it will not 
report failure if there are coverage gaps in the 'distant' past?

Detail:

I've performed a key rollover, and dnssec-coverage reports:

===
PHASE 1--Loading keys to check for internal timing problems
PHASE 2--Scanning future key events for coverage failures
Checking scheduled KSK events for zone palatine.ac.uk, algorithm 
RSASHA256...
   Thu Apr 24 08:56:09 UTC 2014:
     Publish: palatine.ac.uk/008/04681 (KSK)
     Activate: palatine.ac.uk/008/04681 (KSK)
   Thu May 01 15:02:35 UTC 2014:
     Publish: palatine.ac.uk/008/37960 (KSK)
   Sat May 31 15:02:35 UTC 2014:
     Activate: palatine.ac.uk/008/37960 (KSK)
     Inactive: palatine.ac.uk/008/04681 (KSK)
   Sun Jun 29 15:02:35 UTC 2014:
     Delete: palatine.ac.uk/008/04681 (KSK)
No errors found

Checking scheduled ZSK events for zone palatine.ac.uk, algorithm 
RSASHA256...
   Thu Apr 24 08:56:38 UTC 2014:
     Publish: palatine.ac.uk/008/27594 (ZSK)
     Activate: palatine.ac.uk/008/27594 (ZSK)
   Wed May 07 11:36:59 UTC 2014:
     Publish: palatine.ac.uk/008/30231 (ZSK)
   Thu May 08 11:36:59 UTC 2014:
     Inactive: palatine.ac.uk/008/27594 (ZSK)
     Activate: palatine.ac.uk/008/30231 (ZSK)
   Thu Jun 05 11:36:59 UTC 2014:
     Delete: palatine.ac.uk/008/27594 (ZSK)
No errors found
===

As the ZSK palatine.ac.uk/008/27594 has been deleted from the zone, I'd 
like to simplify the key directory by removing the now unused key 
material.  When I do so, named continues happily (the zone is 
inline-signed), and there are no warnings when it rescans the key directory.

However, dnssec-coverage now complains:

===
PHASE 1--Loading keys to check for internal timing problems
PHASE 2--Scanning future key events for coverage failures
Checking scheduled KSK events for zone palatine.ac.uk, algorithm 
RSASHA256...
   Thu Apr 24 08:56:09 UTC 2014:
     Publish: palatine.ac.uk/008/04681 (KSK)
     Activate: palatine.ac.uk/008/04681 (KSK)
   Thu May 01 15:02:35 UTC 2014:
     Publish: palatine.ac.uk/008/37960 (KSK)
   Sat May 31 15:02:35 UTC 2014:
     Activate: palatine.ac.uk/008/37960 (KSK)
     Inactive: palatine.ac.uk/008/04681 (KSK)
   Sun Jun 29 15:02:35 UTC 2014:
     Delete: palatine.ac.uk/008/04681 (KSK)
No errors found

Checking scheduled ZSK events for zone palatine.ac.uk, algorithm 
RSASHA256...
   Wed May 07 11:36:59 UTC 2014:
     Publish: palatine.ac.uk/008/30231 (ZSK)
ERROR: No ZSK's are active after this event
===

If dnssec-coverage continued processing and got to May the 8th, it 
(should) find that the key became active.

Is there a trick to ask dnssec-coverage to ignore gaps in the distant (> 
TTL?) past, or do I need to keep all of the keys ever used on the zone 
in the key directory, if I wish to use dnssec-coverage?

Graham

-- 
Graham Clinch
Systems Programmer,
Lancaster University

More information about the bind-users mailing list