DNSSEC key rollover problems

Spain, Dr. Jeffry A. spainj at countryday.net
Thu Dec 29 01:42:42 UTC 2011

This issue relates to the server nstest.jaspain.net (, which is running bind 9.9.0b2. Please refer to http://dnsviz.net/d/jaspain.net/dnssec/. The RRSIGs on the jaspain.net AAAA, A, and TXT RRSets signed by ZSK 35297 expired on 12/17/2011, and those RRSets have not been resigned with the new ZSK 42152.

The metadata for ZSK 35297 calls for it to have become inactive on 12/12/2011 (at zero hours UTC) and for it to be deleted on 1/16/2012. The metadata for the new ZSK 42152 calls for it to have been published on 9/8/2011 and activated on 12/11/2011. The jaspain.net SOA RRSet was signed by ZSK 35297 on 12/10/2011 and by ZSK 42152 at the same time.

First of all is it correct that the time stamps shown by dig for RRSIG records are in local time? Otherwise, if the time stamps show UTC, then the RRSIG for jaspain.net SOA for ZSK 42152 was generated at 20111210230000, one hour prior to that key's activation.

Second, can you offer an explanation as to why ZSK 42152 has not been used to sign the jaspain.net AAAA, A, and TXT RRSets when that key is published, activated, and has been used to sign the SOA RRSet, and the existing signatures by ZSK 35297 have expired?

For the sake of comparison, see http://dnsviz.net/d/countryday.net/dnssec/. This zone, which is served by bind9.8.1-P1, seems to have negotiated the ZSK rollover successfully with the same set of dates in the key metadata... so far at least.

Thanks for your thoughts on this. Happy New Year to all.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20111229/a48a7223/attachment.html>

More information about the bind-users mailing list