9.9.0b2 Key Expiration Question

Chris Thompson cet1 at cam.ac.uk
Thu Dec 1 20:13:54 UTC 2011

On Dec 1 2011, McConville, Kevin wrote:

>Hopefully this is a "duh" moment that I'm having. I am testing out what
>happens when you have set the ZSK inactive and delete times and then try
>to sign the zone via a rndc reload zonename command (using static zone
>file with inline signing).
>We have 3 keys as listed below:
>KSK - 63406
>ZSK - 16122
>ZSK - 55416
>$dnssec-settime -p all Kualbanytest.org.+005+63406
>Created: Fri Apr 22 12:49:33 2011
>Publish: Fri Apr 22 12:49:33 2011
>Activate: Fri Apr 22 12:49:33 2011
>Revoke: UNSET
>Inactive: UNSET
>Delete: UNSET
>$dnssec-settime -p all Kualbanytest.org.+005+16122
>Created: Tue Nov 29 14:27:19 2011
>Publish: Tue Nov 29 14:27:19 2011
>Activate: Tue Nov 29 14:27:19 2011
>Revoke: UNSET
>Inactive: Tue Nov 29 16:08:07 2011
>Delete: Tue Nov 29 17:08:42 2011
>$dnssec-settime -p all Kualbanytest.org.+005+55416
>Created: Tue Nov 29 15:13:06 2011
>Publish: Tue Nov 29 15:13:06 2011
>Activate: Tue Nov 29 15:43:06 2011
>Revoke: UNSET
>Inactive: Wed Nov 30 15:13:06 2011
>Delete: Wed Nov 30 15:47:56 2011
>So, key 55416 was pre-published and was temporarily double-signing with
>key 16122. By now (13:58 - 12-01-11) both ZSKs (55416 & 16122) should
>have been inactive and deleted from the zone key list. However, when
>updating the master static zone file and then doing an rndc reload
>ualbanytest.org - it signs the zone like there still is a valid ZSK.
>Doing a dig +dnssec only lists the KSK of 63406. Same thing when checking
>the zone with ( http://dnssec-debugger.verisignlabs.com ).
>Did I forget to read a part of the manual? Do I need a new cup of coffee?
>Any advice or suggestions are greatly appreciated.

I think that because you have told it to inactivate and indeed delete both
ZSKs, in desperation it has signed the whole zone with the the only remaining
key, even though it has the SEP bit set.

Read the description of the "update-check-ksk" option (default "yes")
carefully, including this bit:

| When this option is set to yes, there must be at least two active keys
| for every algorithm represented in the DNSKEY RRset: at least one KSK
| and one ZSK per algorithm. If there is any algorithm for which this
| requirement is not met, this option will be ignored for that algorithm.

Chris Thompson
Email: cet1 at cam.ac.uk

More information about the bind-users mailing list