On Fri, Nov 29, 2024 at 04:46:26PM +1100, Mark Andrews wrote: ! Looks like when we added the code to sign CDNSKEY and CDS with KSKs we missed ! code to skip REVOKED KSKs.
Okay, happens. ! P.S. You have a DS pointing to a non self signed DNSKEY. Yes, probably, due to continuous-rollover. DS are maintained manually (I didn't find anybody listening to CDNSKEY yet) and I have two KSK for high-availability, and the third is currently introduced or retiring (the rollover scheme works for RFC 5011 also). cheerio, PMc ! ! > On 29 Nov 2024, at 13:54, Peter 'PMc' Much <p...@citylink.dinoex.sub.org> wrote: ! > ! > Hi, ! > ! > I just noticed my dns-signer recently started to create some ! > invalid signings - the two red arrows in here: ! > ! > https://dnsviz.net/d/daemon.contact/Z0ka0A/dnssec/ ! > ! > There is a history, one can go back and see these weren't present ! > in March '24 and earlier. ! > ! > The problem is, I didn't change anything; my script does basically ! > invoke 'dnssec-signzone' & friends, and only that was regularly upgraded. ! > ! > root@kerb:~opdns/DNSSEC/config # dir /ext/libexec/dns-signer.rb ! > -r-xr-xr-x 1 root wheel uarch 7037 Mar 29 2023 /ext/libexec/dns-signer.rb ! > root@kerb:~opdns/DNSSEC/config # dir ! > -rw-rw-r-- 1 opdns staff uarch 119 May 16 2022 daemon.contact:intra ! > -rw-rw-r-- 1 opdns staff uarch 850 May 30 2022 global ! > root@kerb:~opdns/DNSSEC/config # grep bind /var/log/messages ! > Jan 7 19:30:11 <user.notice> kerb pkg[43351]: bind-tools upgraded: 9.18.20 -> 9.18.20_1 ! > Mar 3 01:01:42 <user.notice> kerb pkg[30861]: bind-tools upgraded: 9.18.20_1 -> 9.18.24 ! > Apr 12 23:05:48 <user.notice> kerb pkg[95839]: bind-tools reinstalled: 9.18.24 -> 9.18.24 ! > Apr 29 10:21:01 <user.notice> kerb pkg[85248]: bind-tools upgraded: 9.18.24 -> 9.18.26 ! > Jul 8 20:49:49 <user.notice> kerb pkg[98894]: bind-tools upgraded: 9.18.26 -> 9.18.27_1 ! > Jul 27 19:23:28 <user.notice> kerb pkg[53621]: bind-tools upgraded: 9.18.27_1 -> 9.18.28 ! > Aug 24 17:54:22 <user.notice> kerb pkg[51161]: bind-tools upgraded: 9.18.28 -> 9.18.29 ! > Sep 8 21:13:34 <user.notice> kerb pkg[22254]: bind-tools reinstalled: 9.18.29 -> 9.18.29 ! > Oct 17 20:16:54 <user.notice> kerb pkg[90460]: bind-tools upgraded: 9.18.29 -> 9.20.2 ! > ! > I am sure these arrows are no technical problem, but, well, they don't ! > look good... so what has happened? ! > ! > cheerio, ! > PMc ! > -- ! > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ! > ! > ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. ! > ! > ! > bind-users mailing list ! > bind-users@lists.isc.org ! > https://lists.isc.org/mailman/listinfo/bind-users ! ! -- ! Mark Andrews, ISC ! 1 Seymour St., Dundas Valley, NSW 2117, Australia ! PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ! ! -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
