> How promptly are you deleting the key files? Any time >= deletion time, varying… we think this could explain why only some of the DNSKEYs are becoming zombies, but not all.
> Are you allowing enough time for named to go through a zone key maintenance > cycle? (which is hourly if I remember correctly) I’m not sure, it sounds like perhaps not always? You’ve mentioned a “zone key maintenance cycle” of an hour, and the docs also casually mention that “by default, this [key] rollover completes in 30 days” [1]. How long after deletion time is it safe to actually remove the underlying key files, if it isn’t the deletion time itself? -Mathew Eis [1] ftp://ftp.isc.org/isc/bind/9.8.0-P4/doc/arm/Bv9ARM.ch04.html -----Original Message----- From: Tony Finch <d...@dotat.at> Date: Monday, July 4, 2016 at 8:08 AM To: Mathew Eis <mathew....@nau.edu> Cc: "bind-users@lists.isc.org" <bind-users@lists.isc.org> Subject: Re: auto-dnssec maintain and DNSKEY removal Mathew Ian Eis <mathew....@nau.edu> wrote: > > We think that in some cases, named may be choosing to use a key past the > removal date (as in [2]), while our file maintenance process removes the > keys as per their deletion date – after which named no longer has the > necessary metadata to determine whether or not to remove the DNSKEY from > the zone. How promptly are you deleting the key files? Are you allowing enough time for named to go through a zone key maintenance cycle? (which is hourly if I remember correctly) > Lastly, so long as a zone is properly signed with a different key, are > there any concerns with manually removing the zombie DNSKEY records via > an update even while auto-dnssec maintain is enabled? I believe that should work. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode North Rockall: Westerly or northwesterly 3 or 4, increasing 5 at times. Moderate. Showers. Good. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
