9.9.0b2 Key Expiration Question

McConville, Kevin kmcconville at albany.edu
Thu Dec 1 18:59:20 UTC 2011


Hopefully this is a "duh" moment that I'm having. I am testing out what happens when you have set the ZSK inactive and delete times and then try to sign the zone via a rndc reload zonename command (using static zone file with inline signing).

We have 3 keys as listed below:

KSK - 63406
ZSK - 16122
ZSK - 55416
--------------------------------

$dnssec-settime -p all Kualbanytest.org.+005+63406
Created: Fri Apr 22 12:49:33 2011
Publish: Fri Apr 22 12:49:33 2011
Activate: Fri Apr 22 12:49:33 2011
Revoke: UNSET
Inactive: UNSET
Delete: UNSET

$dnssec-settime -p all Kualbanytest.org.+005+16122
Created: Tue Nov 29 14:27:19 2011
Publish: Tue Nov 29 14:27:19 2011
Activate: Tue Nov 29 14:27:19 2011
Revoke: UNSET
Inactive: Tue Nov 29 16:08:07 2011
Delete: Tue Nov 29 17:08:42 2011

$dnssec-settime -p all Kualbanytest.org.+005+55416
Created: Tue Nov 29 15:13:06 2011
Publish: Tue Nov 29 15:13:06 2011
Activate: Tue Nov 29 15:43:06 2011
Revoke: UNSET
Inactive: Wed Nov 30 15:13:06 2011
Delete: Wed Nov 30 15:47:56 2011

So, key 55416 was pre-published and was temporarily double-signing with key 16122. By now (13:58 - 12-01-11) both ZSKs (55416 & 16122) should have been inactive and deleted from the zone key list. However, when updating the master static zone file and then doing an rndc reload ualbanytest.org - it signs the zone like there still is a valid ZSK.

Doing a dig +dnssec only lists the KSK of 63406. Same thing when checking the zone with ( http://dnssec-debugger.verisignlabs.com ).

Did I forget to read a part of the manual? Do I need a new cup of coffee? Any advice or suggestions are greatly appreciated.


Thanks,



-Kevin



Kevin McConville
University at Albany

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20111201/4e2787f8/attachment.html>


More information about the bind-users mailing list