Hi, you are right, I got confused there. Am I getting it right that the rest of the zone is not (re)signed because the current signature is still valid for some time?
So if I were to set sig-validity-interval to a shorter value, this would help with the issue? Sadly it seems to be a value in days, so it is not that easy to test. I will try setting the interval to 1 day with 23 hours preview signing. Thanks. Am 17.07.2016 um 06:06 schrieb Mark Andrews: > In message <5788c969.6070...@enbewe.de>, Nis Wechselberg writes: >> Hi, >> >> I am curently testing a dnssec setup with the new dnssec-keymgr tool. I >> created a test zone with very fast key rollover setings and very short >> TTLs. (Configs below) >> >> The automated creation of keys seems to work fine but bind behaves other >> than I would have expected. >> >> - Initial deployment looks fine with the current ZSK published and in use. >> (http://dnsviz.net/d/testmichhartundwild.de/V4ep6A/dnssec/) > > ZSK = 36141 > >> - At prepublication time the next key is published but not yet used (as >> expected. >> (http://dnsviz.net/d/testmichhartundwild.de/V4fV_A/dnssec/) > > New ZSK is 10173 > >> - After rollover time the new key is used to sign the zone EXCEPT the >> SOA record. This one is still signed by the old key. >> (http://dnsviz.net/d/testmichhartundwild.de/V4fyNQ/dnssec/) > > No. The new ZSK signs the SOA record. The old signatures still exist > on the other records as the only RRset that changes is the SOA. > >> - When post-publication of the old key expires it is removed and the new >> key is used for all records. >> (http://dnsviz.net/d/testmichhartundwild.de/V4gSGg/dnssec/) >> >> >> I am confused becaus of the special treatment of the SOA record. I would >> expect a complete switch to the new key. At the moment, cached responses >> of the SOA record could not be verified in the timeframe between >> deletion of the old key and the next TTL. >> >> Am I missing something? >> >> Regards, >> Nis >> >> ---- >> >> >> dnssec-keymgr policy: >> >> zone testmichhartundwild.de { >> algorithm RSASHA256; >> directory "/etc/bind/zones/keys"; >> coverage 2d; >> keyttl 600; >> roll-period zsk 8h; >> post-publish zsk 2h; >> pre-publish zsk 2h; >> }; >> >> >> bind zone config: >> >> zone "testmichhartundwild.de" IN { >> type master; >> >> file "de/testmichhartundwild.de/zone.db"; >> >> // Allow zone transfers to trusted servers >> allow-transfer { >> myServers; >> localhost; >> }; >> >> // Allow updates with shared key >> update-policy { >> grant morpheus-trinity. zonesub any; >> }; >> serial-update-method unixtime; >> >> // Activate dnssec for this domain >> key-directory "keys"; >> auto-dnssec maintain; >> }; >> >> >> _______________________________________________ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >> from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
