Am 10.05.2012 um 23:52 schrieb Evan Hunt: >>> key 22924 of framail.de has a delete date of 2012-05-07T14:55:02 set. >>> It has been deleted from the repository at 2012-05-07T14:55:02.569706, >>> but is still included by named 9.9.0 in the zone framail.de >>> (as of 2012-05-10T19:51:32). >> >> To clarify: I'm using inline-signing. >> The repository is the key-directory configured in named.conf. >> "Deleted" means: My script deleted it. > > Named won't delete the key from the zone unless you explicitly tell > it to do so. For all it knows, your key file may have been removed > by mistake. > > The correct way to remove a key from your zone is to schedule it > for deletion. If it already has a successor published, then you can > schedule the event immediately: > > $ dnssec-settime -K <repository-path> -D now Kframail.de.+007+13245 That's what I mean with "key 22924 of framail.de has a delete date of 2012-05-07T14:55:02 set". > > $ rndc loadkeys framail.de > The -D option says "the key should be deleted after the specified > time", which in this case is "now". "rndc loadkeys" tells named to > examine the keys in the repository and note any changes to the scheduled > events. named will see that the specified KSK is scheduled for deletion, > it will remove it from the DNSKEY RRset, and it will resign the DNSKEY > RRset wth the remaining key(s). I have "auto-dnssec maintain;" set and my understanding is, that named does not require a rndc loadkeys to remove the key from the DNSKEY RRSET if the delete time, set with dnssec-settime, has passed. Is this wrong? > > After that's happened, you can remove the key file from the repository > if you wish. > > If you still have a copy of the key file, put it back and follow the > above steps. Otherwise, I suggest resigning the zone from scratch > with the remaining keys. (Update the SOA serial number in the unsigned > zonefile to something higher than the current serial number in the > signed zone; move <file>.signed and <file>.signed.jnl to some other > location; restart named. A new signed zone should be generated with > the correct keyset.)
Axel --- PGP-Key:29E99DD6 ☀ +49 151 2300 9283 ☀ computing @ chaos claudius _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
