dnssec-policy - CSK rollover help
Matthijs Mekking
matthijs at isc.org
Mon Nov 21 08:29:32 UTC 2022
Hi,
It is hard to see what the problem is without any configuration or state
information. Also, log level debug 3 gives you probably more useful logs
when investigating a problem.
Can you share (privately if you wish) the key **state** files, and the
output of 'rndc dnssec -status' for the given zone?
Best regards,
Matthijs
On 20-11-2022 00:50, vom513 wrote:
> Hello,
>
> So I reconfigured one of my domains to use dnssec-policy. I’m using the policy “default” + I’ve only added nsec3 stuff. All other timers / params are from default. Working fine / as expected.
>
> Luckily for me this is a domain that I don’t use much. So outages and mistakes are easily tolerable.
>
> After a bumpy start, I have the zone “happy” - that is, fully signed, DS in parent, and all timers reading “omnipresent”.
>
> I’m trying to use this ISC KB as a guide: https://kb.isc.org/docs/dnssec-key-and-signing-policy
>
> So I decided to try a rollover. So I did: rndc dnssec -rollover -key 12345 -when 20221122230000 example.com <http://example.com/>
>
> This now shows up as scheduled in rndc dnssec -status.
>
> However, I expected BIND to create a successor CSK. Nothing in the key dir, nothing in logs, nothing in rndc status.
>
> The whole point of course is to have two “overlapping” keys, two DS’es, i.e. two chains of trust. And then when everything is happy timer-wise, the old key (and DS) can go away.
>
> Is BIND going to do this sometime before the actual rollover ? Or is there something else I need to do ? Speaking of this - what exactly happens at the rollover time ?
>
> Thanks.
>
>
More information about the bind-users
mailing list