dnssec automatic signing

Thu, 28 Aug 2014 00:49:24 -0700 

Hi,

 

This is example.com zone 

$ORIGIN .

$TTL 86400      ; 1 day

example.com     86400   IN SOA  ns.example.com. hostmaster.example.com.
(

                                2013122402 ; serial

                                86400      ; refresh (1 day)

                                7200       ; retry (2 hours)

                                604800     ; expire (1 week)

                                86400      ; minimum (1 day)

                                )

                86400   NS      ns.example.com.

$ORIGIN example.com.

ns              86400   A       10.10.10.10

sub             86400   NS      ns.sub

                86400   DS      19264 8 1 (

                                EA38AD65596500B2D6A4BC04478FFD5C13FF7600
)

                86400   DS      19264 8 2 (

 
A68BF3856CA9AF1A669EA10DEC8BA72E174108EEB5AA

                                D1CF5A3C919E5AB9B60B )

                86400   DS      36579 7 1 (

                                83F190FDEBF79DFEC93571D2C06240834C059414
)

                86400   DS      36579 7 2 (

 
EAFB90C1EB610CF566EC677A381D5F9DCAFB8B0E2B6D

                                C78A7788E501D523187C )

$ORIGIN sub.example.com.

ns              86400   A       10.10.10.11

$ORIGIN example.com.

www             86400   A       2.2.2.2

 

This is zones status

1.        

[root@dnssec zone]# /opt/bind-9.10.0-P2/sbin/rndc -c
/opt/bind-9.10.0-P2/etc/named-sld-rndc.conf -s 10.10.10.10 zonestatus
example.com

name: example.com

type: master

files: /usr/local/named/zone/example.com.zone

serial: 2013122402

signed serial: 2013122402

nodes: 5

last loaded: Wed, 30 Jul 2014 17:00:34 GMT

secure: no

key maintenance: automatic

next key event: Wed, 30 Jul 2014 18:00:34 GMT

dynamic: yes

frozen: no

2.        

[root@dnssec keys]# /opt/bind-9.10.0-P2/sbin/rndc -c
/opt/bind-9.10.0-P2/etc/named-sld-rndc.conf -s 10.10.10.10 zonestatus
example.com

name: example.com

type: master

files: /usr/local/named/zone/example.com.zone

serial: 2013122402

signed serial: 2013122404

nodes: 5

last loaded: Wed, 30 Jul 2014 17:00:34 GMT

secure: yes

inline signing: yes

key maintenance: automatic

next key event: Fri, 01 Aug 2014 02:00:00 GMT

next resign node: ns.example.com/NSEC

next resign time: Sat, 23 Aug 2014 12:30:46 GMT

dynamic: yes

frozen: no

3.        

[root@dnssec zone]# /opt/bind-9.10.0-P2/sbin/rndc -c
/opt/bind-9.10.0-P2/etc/named-sld-rndc.conf -s 10.10.10.10 zonestatus
example.com

name: example.com

type: master

files: /usr/local/named/zone/example.com.zone

serial: 2013122402

signed serial: 2013122405

nodes: 5

last loaded: Wed, 30 Jul 2014 17:00:34 GMT

secure: yes

inline signing: yes

key maintenance: automatic

next key event: Sat, 23 Aug 2014 13:30:46 GMT

next resign node: example.com/DNSKEY

next resign time: Sat, 23 Aug 2014 13:00:00 GMT

dynamic: yes

frozen: no

4.        

[root@dnssec zone]# /opt/bind-9.10.0-P2/sbin/rndc -c
/opt/bind-9.10.0-P2/etc/named-sld-rndc.conf -s 10.10.10.10 zonestatus
example.com

name: example.com

type: master

files: /usr/local/named/zone/example.com.zone

serial: 2013122402

signed serial: 2013122406

nodes: 5

last loaded: Wed, 30 Jul 2014 17:00:34 GMT

secure: yes

inline signing: yes

key maintenance: automatic

next key event: Sat, 23 Aug 2014 13:30:46 GMT

next resign node: ns.example.com/NSEC

next resign time: Mon, 15 Sep 2014 00:10:11 GMT

dynamic: yes

frozen: no

 

 

 

                I notice that next resign node are only
ns.example.com/NSEC, example.com/DNSKEY but actually, in example.com
there are 5 nodes.

How dose bind choose a next resign node? What algorithm is it?

 

Thank you

Jittinan Suwanrueangsri


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to