After the fantastic ISC DNSSEC webinar series last month, I began using KASP
for my DNSSEC signed zones. I have noticed an odd behavior with regards to the
files BIND keeps in keys/ (K*.key, K*.private, and K*.state). For
inactive/retired keys, every BIND restart updates the dates in those files (see
below). This raises two questions:
1. Should the time a key becomes inactive or retired be a fixed point in time
rather than changing to the last time BIND restarted for every restart?
2. When, if ever, is it safe to remove the files from the keys directory for
inactive/retired keys (i.e., is there a state after Inactive or Retired)?
An example set of changes is shown in the pruned diff below. Note that for
this particular key, the state file shows the following states:
DNSKEYState: hidden
ZRRSIGState: hidden
GoalState: hidden
--- Kgshapiro.net.+008+05640.key 18 May 2020 02:06:14 -0000 1.9
+++ Kgshapiro.net.+008+05640.key 19 May 2020 23:53:06 -0000
-; Inactive: 20200518020420 (Tue May 18 02:04:20 2020)
+; Inactive: 20200519230430 (Tue May 19 23:04:30 2020)
--- Kgshapiro.net.+008+05640.private 18 May 2020 02:06:14 -0000 1.9
+++ Kgshapiro.net.+008+05640.private 19 May 2020 23:53:06 -0000
-Inactive: 20200518020420
+Inactive: 20200519230430
--- Kgshapiro.net.+008+05640.state 18 May 2020 02:06:14 -0000 1.8
+++ Kgshapiro.net.+008+05640.state 19 May 2020 23:53:06 -0000
-Retired: 20200518020420 (Tue May 18 02:04:20 2020)
+Retired: 20200519230430 (Tue May 19 23:04:30 2020)
Thanks!
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
