Getting resports of people with certain ISPs (like comcast) can't resolve my domains now.
Did a dnsvis on my domain and the error is: RRSIG ksu.edu/A by ksu.edu/DNSKEY alg 8, key 14693:The RRSIG was made by a revoked key. Which makes no sense, because I have no key with that id in my key repository. The files in my repository are: Kksu.edu.+008+09339.key Kksu.edu.+008+09339.private Kksu.edu.+008+14565.key Kksu.edu.+008+14565.private Kksu.edu.+008+29826.key Kksu.edu.+008+29826.private Kksu.edu.+008+31279.key Kksu.edu.+008+31279.private Kksu.edu.+008+44538.key Kksu.edu.+008+44538.private Kksu.edu.+008+51720.key Kksu.edu.+008+51720.private Kksu.edu.+008+51909.key Kksu.edu.+008+51909.private Which represents all the Alg 8 keys since we switched to it from 7 on Jun 1st. Haven't decided on adding to current automation to clean up the old keys, or find different automation. The old 7 keys weren't deleted, I just moved aside (my record that we went signed on Jul 28, 2010, and first delegated subdomain was signed Nov 3, 2011....even though it didn't work correctly until last December, when I upgraded from 9.7.6-P4 to 9.9.2-P1, since the main feature of the subdomain is a wildcard record NSEC3...the mailer is supposed masquerade everything in the subdomain as the subdomain, but sometimes host names leak out... :) But, dnssec-signzone says this: Fetching KSK 31279/RSASHA256 from key repository. Fetching ZSK 14693/RSASHA256 from key repository. Fetching ZSK 44538/RSASHA256 from key repository. Verifying the zone using the following algorithms: RSASHA256. Zone fully signed: Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked ZSKs: 1 active, 0 stand-by, 1 revoked ksu.edu.signed The current ZSK is 44538 ; This is a zone-signing key, keyid 44538, for ksu.edu. ; Created: 20130901090000 (Sun Sep 1 04:00:00 2013) ; Publish: 20130901090007 (Sun Sep 1 04:00:07 2013) ; Activate: 20130901090007 (Sun Sep 1 04:00:07 2013) ; Revoke: 20131202090000 (Mon Dec 2 03:00:00 2013) ; Inactive: 20131216090000 (Mon Dec 16 03:00:00 2013) ; Delete: 20131230090000 (Mon Dec 30 03:00:00 2013) ksu.edu. IN DNSKEY 256 3 8 AwEAAet97mpbg2GBaA5EhJxPbygYOFIrrjLSV/dAvyEDRSdcyqMjfZXt qQNj9lw0GY9Hc9s8vi3W2NApa2z3Ky+OO6SEMhsubN0bLnE76SAL01kW KZ8yrs/tu6/Rr7+NEB4Wa978pyosLIHtzF9WYlrY8bcPhQT21bgYonZJ R8r+6EXF And, the prior ZSK was 14565 ; This is a zone-signing key, keyid 14565, for ksu.edu. ; Created: 20130601090000 (Sat Jun 1 04:00:00 2013) ; Publish: 20130601090007 (Sat Jun 1 04:00:07 2013) ; Activate: 20130601090007 (Sat Jun 1 04:00:07 2013) ; Revoke: 20130901090000 (Sun Sep 1 04:00:00 2013) ; Inactive: 20130915090000 (Sun Sep 15 04:00:00 2013) ; Delete: 20130929090000 (Sun Sep 29 04:00:00 2013) ksu.edu. IN DNSKEY 256 3 8 AwEAAc1HU7nrlgFeGLZSgHCytd+BItSNgR5gY4iemDCAX9+z+cpyq/Pe 52kLuFxDjCj89EzdjKFDGAkPRDPImWlTQLCr3WQl8g5SIOs67bBR72hv q2tHmgpK+/j9Z4yqLRyld/Kpl2FRNWc7dvqh8i+Sd0or5WrLO3ocftS1 t3rQaznB I'm running bind-9.9.3-P2 Where is 14693 coming from? And, how do I get it work right. This problem also affects my other signed domains. Fetching ZSK 38373/RSASHA256 from key repository. Fetching ZSK 43247/RSASHA256 from key repository. Fetching KSK 52261/RSASHA256 from key repository. Verifying the zone using the following algorithms: RSASHA256. Zone fully signed: Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked ZSKs: 1 active, 0 stand-by, 1 revoked k-state.edu.signed There is no 43247 Kk-state.edu.+008+06129.key Kk-state.edu.+008+06129.private Kk-state.edu.+008+22785.key Kk-state.edu.+008+22785.private Kk-state.edu.+008+23166.key Kk-state.edu.+008+23166.private Kk-state.edu.+008+38373.key Kk-state.edu.+008+38373.private Kk-state.edu.+008+41019.key Kk-state.edu.+008+41019.private Kk-state.edu.+008+43119.key Kk-state.edu.+008+43119.private Kk-state.edu.+008+52261.key Kk-state.edu.+008+52261.private The prior ZSK was 43119 None of the Alg 7 keys have these IDs as well. -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- & SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users