Re: auto-dnssec maintain and DNSKEY removal

--- From: Tony Finch Date: Thursday, July 14, 2016 at 3:17 AM To: Mathew Eis Cc: "bind-users@lists.isc.org" Subject: Re: auto-dnssec maintain and DNSKEY removal Mathew Ian Eis wrote: > > sig-validity-interval seems to only affect the expiration date of newly >

Re: auto-dnssec maintain and DNSKEY removal

Mathew Ian Eis wrote: > > sig-validity-interval seems to only affect the expiration date of newly > created signatures, and of course signatures are only rolling over to > new keys as they expire. > > I am wondering if I can ask bind to set the expiration for, say 30 days > out, but when a new key

Re: auto-dnssec maintain and DNSKEY removal

, Mathew Eis -Original Message- From: Tony Finch Date: Wednesday, July 6, 2016 at 2:48 AM To: Mathew Eis Cc: "bind-users@lists.isc.org" Subject: Re: auto-dnssec maintain and DNSKEY removal Mathew Ian Eis wrote: > > Does all of that sound right? I believ

Re: auto-dnssec maintain and DNSKEY removal

Mathew Ian Eis wrote: > > Does all of that sound right? I believe so, yes. Tony. -- f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode Humber, Thames, Dover, Wight, Portland, Plymouth, North Biscay: Northwesterly, backing southwesterly, 3 or 4, becoming variable for a time. Smooth or

Re: auto-dnssec maintain and DNSKEY removal

its thing and not hang onto zombie keys anymore. Does all of that sound right? Thanks again, -Mathew Eis From: Tony Finch Date: Tuesday, July 5, 2016 at 10:48 AM To: Mathew Eis , "bind-users@lists.isc.org" Subject: Re: auto-dnssec maintain and DNSKEY removal Mathew Ian

Re: auto-dnssec maintain and DNSKEY removal

Mathew Ian Eis wrote: > > > Are you allowing enough time for named to go through a zone key > > maintenance cycle? (which is hourly if I remember correctly) > > I’m not sure, it sounds like perhaps not always? You’ve > mentioned a “zone > key maintenance cycle” of an hour, and the docs also casual

Re: auto-dnssec maintain and DNSKEY removal

e underlying key files, if it isn’t the deletion time itself? -Mathew Eis [1] ftp://ftp.isc.org/isc/bind/9.8.0-P4/doc/arm/Bv9ARM.ch04.html -Original Message- From: Tony Finch Date: Monday, July 4, 2016 at 8:08 AM To: Mathew Eis Cc: "bind-users@lists.isc.org" Subject: Re: au

Re: auto-dnssec maintain and DNSKEY removal

Mathew Ian Eis wrote: > > We think that in some cases, named may be choosing to use a key past the > removal date (as in [2]), while our file maintenance process removes the > keys as per their deletion date – after which named no longer has the > necessary metadata to determine whether or not to

auto-dnssec maintain and DNSKEY removal

Hi BIND, The documentation for auto-dnssec maintain suggests that named will remove DNSKEYs from zones when the deletion time marked in the metadata occurs [1]. Unfortunately, it seems this is not always the case. We are currently trying to diagnose the source of residual DNSKEYs in our zones