On Feb 2, 2012, at 11:43 AM, Spain, Dr. Jeffry A. wrote: >> So, is there: >> A: an easy way to figure out what keyfiles are no longer being used / >> referenced? >> B: a simpler way to recover from this when one *does* make a boo boo? > > What a fun evening. For the sake of interest, which version of bind is in use?
Doh. I always get annoyed with folk forget to include this... and then I did it :-P BIND 9.8.1-P1 built with '--with-openssl=yes' '--with-randomdev=/dev/urandom' '--enable-threads' using OpenSSL version: OpenSSL 0.9.8o 01 Jun 2010 > With regard to item A, how about executing the following from your key > directory: > > for f in *.private; do echo; echo $f; dnssec-settime -p all "$f"; done > > Any key file for which the Inactive time is in the past would not be needed > for signing. Bind would publish it in the zone if the key file were present > and the Delete time were in the future (and the Publish time in the past). > Any key for which the Delete time is in the past would not need to be > retained in the key directory, as it would not be needed for publication or > signing. Hmmm. Yeah, that will work... Thanks W > > With regard to B, I don't understand why restoring the deleted key files > didn't fix the problem, and so will leave further comment to the experts. > > Jeffry A. Spain > Network Administrator > Cincinnati Country Day School > _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
