> > key 22924 of framail.de has a delete date of 2012-05-07T14:55:02 set. > > It has been deleted from the repository at 2012-05-07T14:55:02.569706, > > but is still included by named 9.9.0 in the zone framail.de > > (as of 2012-05-10T19:51:32). > > To clarify: I'm using inline-signing. > The repository is the key-directory configured in named.conf. > "Deleted" means: My script deleted it.
Named won't delete the key from the zone unless you explicitly tell it to do so. For all it knows, your key file may have been removed by mistake. The correct way to remove a key from your zone is to schedule it for deletion. If it already has a successor published, then you can schedule the event immediately: $ dnssec-settime -K <repository-path> -D now Kframail.de.+007+13245 $ rndc loadkeys framail.de The -D option says "the key should be deleted after the specified time", which in this case is "now". "rndc loadkeys" tells named to examine the keys in the repository and note any changes to the scheduled events. named will see that the specified KSK is scheduled for deletion, it will remove it from the DNSKEY RRset, and it will resign the DNSKEY RRset wth the remaining key(s). After that's happened, you can remove the key file from the repository if you wish. If you still have a copy of the key file, put it back and follow the above steps. Otherwise, I suggest resigning the zone from scratch with the remaining keys. (Update the SOA serial number in the unsigned zonefile to something higher than the current serial number in the signed zone; move <file>.signed and <file>.signed.jnl to some other location; restart named. A new signed zone should be generated with the correct keyset.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
