DNSSEC auto-dnssec issue bind-9.7.2-P3

Zbigniew Jasiński szopen at nask.pl
Mon Jan 17 13:47:32 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi all,

I have my test zone example configured with option auto-dnssec maintain;

zone "example" {
	type master;
	file "var/zone/example";
	allow-update { loopback; };
	allow-transfer { trusted; loopback; };
	auto-dnssec maintain;
	key-directory "var/keys/example";
};

in server conf there's also 'dnssec-enable yes'

and I've configured keys (KSK/ZSK) with timing options (same for both keys):

; Created: 20110114150841 (Fri Jan 14 16:08:41 2011)
; Publish: 20110114151339 (Fri Jan 14 16:13:39 2011)
; Activate: 20110114151839 (Fri Jan 14 16:18:39 2011)
; Inactive: 20110114152339 (Fri Jan 14 16:23:39 2011)
; Delete: 20110114152839 (Fri Jan 14 16:28:39 2011)

I started bind, send update for my example zone with NSEC3PARAM:

Jan 14 16:08:40 named[25297]: general: zone example/IN:
dns_zone_addnsec3chain(hash=1, iterations=12, salt=28EA1FFF42617C9D59B1)
Jan 14 16:08:40 named[25297]: general: zone example/IN:
zone_addnsec3chain(1,CREATE,12,28EA1FFF42617C9D59B1)

send the rndc sign command:

Jan 14 16:08:41 named[25297]: general: received control channel command
'sign example'
Jan 14 16:08:41 named[25297]: general: zone example/IN: reconfiguring
zone keys
Jan 14 16:08:42 named[25297]: general: zone example/IN:
zone_addnsec3chain(1,REMOVE|NONSEC,12,28EA1FFF42617C9D59B1)
Jan 14 16:08:42 named[25297]: general: zone example/IN: next key event:
14-Jan-2011 16:13:39.200

next key event is scheduled for 16:13:39.200 which is correct, and this
is the key Publish event:

Jan 14 16:13:39 named[25297]: general: zone example/IN: reconfiguring
zone keys
Jan 14 16:13:39 named[25297]: general: zone example/IN: next key event:
14-Jan-2011 16:23:39.234

but what with the Activate event??? in log I just see Publish, Inactive
and Delete events but without Activate event. zone is just no signed by
named.

If I use default settings when generating keys (Created, Publish,
Activate = NOW), change 'auto-dnssec maintain' to 'auto-dnssec allow'
and send 'rndc sign example' zone is signed without problems.

what's going on?

- -- 
regards

zbigniew jasinski
[SYStem OPerator]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNNEh0AAoJEH26UYiRhe/g2WoP/i4Ecn5Jq78GFFlJGpde6fyd
vXN3pwFpWUvDSZqYQfLYMHg4PaI5RNDU2NLfnM0gnMZ83cXz0kw0h9bBj8O/EmXX
44+7/wheBnpOijlKItt2IjnBzFKV6uTu6nj5RtpbvTAMTEny0Hy4q41Y8zB8Mt4P
h0VuTi91q2WmSisa2bYnIKrQzQFR6W+nbPRFpxHyzj3SX2hdoqSBQkbNhmC+nCJR
nJQQa4u9JKcCtDkQeoRUiUVHNECuZSXMwCukXEagweEadP6EIPhC+TCyUTXKiR7s
9jQ/1svVmsKNqqFLgMf2w2x8oKXeAP/PvRzlyZlBwzHHgHBetgPsd1oKcHB9rElM
/rVNk8nzIadrp0TF7WEy4Ld4GdbwVGbiv0p+vDounPmm4KntwcxyFxpu+PZRs/tp
zt/z4KYrR+Z+1pNl6ojfg5mD7UTPEmMj9gFHhVuwdrcHP5EH/SkxofDFAB8C0IyX
LJ3jbKITqmLHhVCDWVLxwXws4/QUOTF/rU48zk1XxaEP80tmKO9PfgCYr4QPz3v4
UDPMvZyI5r0yqk+V5gxXMjWcbMh9K/lq00Nj4/dXCP9iIlvd0MkKdnfTHuMK5BNN
OGTrQlVVyGG6+iKU1XXAp0BahVjQnGk46EsKcqUXOjc/4bm/myvfG3WyLFm8okYD
412Ik3YKP3YpZvxqc9X6
=+ZO3
-----END PGP SIGNATURE-----




More information about the bind-users mailing list