dnssec-policy - CSK rollover help
vom513
vom513 at gmail.com
Mon Nov 21 14:54:30 UTC 2022
> On Nov 21, 2022, at 3:29 AM, Matthijs Mekking <matthijs at isc.org> wrote:
>
> Hi,
>
> It is hard to see what the problem is without any configuration or state information. Also, log level debug 3 gives you probably more useful logs when investigating a problem.
>
> Can you share (privately if you wish) the key **state** files, and the output of 'rndc dnssec -status' for the given zone?
Yep, nothing top secret here. Here is rndc dnssec -status as well as the state file. Judging by the lifetime / retirement - looks like I have a 2 hour window after the rollover ? I suppose I can/should tweak/increase this lifetime in the dnssec-policy ?
--
dnssec-policy: default-nsec3
current time: Mon Nov 21 09:50:11 2022
key: 46697 (ECDSAP256SHA256), CSK
published: yes - since Wed Nov 16 22:07:32 2022
key signing: yes - since Wed Nov 16 22:07:32 2022
zone signing: yes - since Wed Nov 16 22:07:32 2022
Next rollover scheduled on Tue Nov 22 18:00:00 2022
- goal: omnipresent
- dnskey: omnipresent
- ds: omnipresent
- zone rrsig: omnipresent
- key rrsig: omnipresent
; This is the state of key 46697, for acuity.tech.
Algorithm: 13
Length: 256
Lifetime: 511048
KSK: yes
ZSK: yes
Generated: 20221117030732 (Wed Nov 16 22:07:32 2022)
Published: 20221117030732 (Wed Nov 16 22:07:32 2022)
Active: 20221117030732 (Wed Nov 16 22:07:32 2022)
Retired: 20221123010500 (Tue Nov 22 20:05:00 2022)
Removed: 20221203021000 (Fri Dec 2 21:10:00 2022)
DSPublish: 20221118201223 (Fri Nov 18 15:12:23 2022)
PublishCDS: 20221118041232 (Thu Nov 17 23:12:32 2022)
DNSKEYChange: 20221117051232 (Thu Nov 17 00:12:32 2022)
ZRRSIGChange: 20221118041232 (Thu Nov 17 23:12:32 2022)
KRRSIGChange: 20221117051232 (Thu Nov 17 00:12:32 2022)
DSChange: 20221119221223 (Sat Nov 19 17:12:23 2022)
DNSKEYState: omnipresent
ZRRSIGState: omnipresent
KRRSIGState: omnipresent
DSState: omnipresent
GoalState: omnipresent
--
More information about the bind-users
mailing list