auto-dnssec maintain and DNSKEY removal
Tony Finch
dot at dotat.at
Tue Jul 5 17:48:11 UTC 2016
Mathew Ian Eis <Mathew.Eis at nau.edu> wrote:
>
> > Are you allowing enough time for named to go through a zone key
> > maintenance cycle? (which is hourly if I remember correctly)
>
> I’m not sure, it sounds like perhaps not always? You’ve
> mentioned a “zone
> key maintenance cycle” of an hour, and the docs also casually mention
> that “by default, this [key] rollover completes in 30 days” [1].
These are two separate things.
The zone key maintenance timer controls when named re-examines a zone's
keys (checks for changes to the files, loads new keys, etc.) I haven't
checked this myself in detail, but named can get confused and upset if a
key file disappears while named thinks the key is still in use, so I
suspect it might go wrong if the file is deleted after the key deletion
time but before the zone key timer triggers.
The rollover time is related to the signature lifetime - you have to
stop signing with a key, allow a month for the signatures to be
replaced, then delete the key, and you specify all this with dnssec-
settimes, and check it is sane with dnssec-coverage. (Which I am sure
you know but I wanted to avoid confusion.)
> How long after deletion time is it safe to actually remove the
> underlying
> key files, if it isn’t the deletion time itself?
You should probably augment your key file deletion script to verify that
the key has in fact gone from the zone - if you add suitable warning
diagnostics it will probably reveal what is actually going wrong, more
reliably than my guesses!
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--
zr8h punycode
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160705/99685128/attachment.html>
More information about the bind-users
mailing list