bind 9.9.4
How to troubleshoot issues when keys are supposed to be invalidated or
deleted on specific dates, but aren't?
In this case, a KSK was supposed to be inactivated on 29 September 2013
and deleted on 9 October 2013.
>From the .key file:
; This is a key-signing key, keyid 56989, for networktest.com.
; Created: 20130723214837 (Tue Jul 23 14:48:37 2013)
; Publish: 20130723214837 (Tue Jul 23 14:48:37 2013)
; Activate: 20130723214837 (Tue Jul 23 14:48:37 2013)
; Inactive: 20130929201510 (Sun Sep 29 13:15:10 2013)
; Delete: 20131009201510 (Wed Oct 9 13:15:10 2013)
Problem is, dig says the key is still active, and will be until 29
October 2013:
$ dig networktest.com @localhost +multi rrsig | grep 56989
20131029191450 20130929181450 56989 networktest.com.
named.conf has this:
options {
..
// DNSSEC stuff
managed-keys-directory "managed-keys";
dnssec-enable yes;
dnssec-validation auto;
}
..
zone "networktest.com" {
type master;
..
key-directory "managed-keys/networktest.com";
inline-signing yes;
auto-dnssec maintain;
};
$ ls -l managed-keys/networktest.com/ | grep 56989
-rw-r----- 1 bind bind 719 Jul 31 13:15 Knetworktest.com.+008+56989.key
-rw------- 1 bind bind 1824 Jul 31 13:15
Knetworktest.com.+008+56989.private
I don't understand the disconnect between the configured inactive/delete
times and the ones returned by dig, and presume this is because I've
misconfigured something.
Thanks in advance for troubleshooting clues.
dn
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
