error when removing expired key files

2017-05-06 Thread Gordon Messmer 

I'm working on a script that automatically renews DNS keys:

https://bitbucket.org/gordonmessmer/update-dns-keys/src

After new keys are introduced, and after the old key has expired, the 
old keys are removed (at job, lines 122 and 123).  When the expired keys 
are removed from the filesystem, named begins to complain:


   zone dragonsdawn.net/IN/local_resolver (signed): Key
   dragonsdawn.net/RSASHA256/37038 missing or inactive and has no
   replacement: retaining signatures.

I've tried running "rndc loadkeys '$zone' in public" afterward, but 
named continues to log that error.  What's the expected behavior for 
handling expired keys?  Can we not remove them until the server is 
restarted (which does clear the error)?


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

inline-signing a zone that exists in two views

2017-05-06 Thread Gordon Messmer 
I have a zone that I'd like to serve in two different views, with dnssec 
in both views.  However, this leads to a pair of error messages:


   named[858]: malformed transaction:
   dynamic/db.dragonsdawn.net.signed.jnl last serial 2017011485 !=
   transaction first serial 2017011477
   named[858]: zone dragonsdawn.net/IN/local_resolver (signed):
   zone_resigninc:dns_journal_write_transaction -> unexpected error

Is it possible to serve a second view, using the keys that are 
maintained in the primary view?  This might be mostly for curiosity's 
sake, since the value of signed responses is reasonably low for "local" 
clients.



view local_resolver {
...
zone "dragonsdawn.net" IN {
type master;
file "dynamic/db.dragonsdawn.net";
update-policy local;
key-directory "keys/dragonsdawn.net";
inline-signing yes;
auto-dnssec allow;
};
};

view public {
recursion no;
...
zone "dragonsdawn.net" IN {
type master;
file "dynamic/db.dragonsdawn.net";
update-policy local;
key-directory "keys/dragonsdawn.net";
inline-signing yes;
auto-dnssec maintain;
};
};

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users