DNSSEC auto-dnssec issue bind-9.7.2-P3

Mon Jan 17 14:39:12 UTC 2011

Have you tried more sane times?

Those don't look like sensible times even for a test, which is probably why
BIND isn't signing. I think you are below the sensitivity level for BIND to
sign automatically.

If you want to test, try using hours or days as values. When initially
testing I used lifetimes of a week, then increased to 1 month for ZSKs and 3
months for KSKs. That allowed me to test things quickly, but without
compromising the validity of the test.

On 17/01/11 2:47 PM, "Zbigniew Jasiński" <szopen at nask.pl> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Hi all,
> 
> I have my test zone example configured with option auto-dnssec maintain;
> 
> zone "example" {
> type master;
> file "var/zone/example";
> allow-update { loopback; };
> allow-transfer { trusted; loopback; };
> auto-dnssec maintain;
> key-directory "var/keys/example";
> };
> 
> in server conf there's also 'dnssec-enable yes'
> 
> and I've configured keys (KSK/ZSK) with timing options (same for both keys):
> 
> ; Created: 20110114150841 (Fri Jan 14 16:08:41 2011)
> ; Publish: 20110114151339 (Fri Jan 14 16:13:39 2011)
> ; Activate: 20110114151839 (Fri Jan 14 16:18:39 2011)
> ; Inactive: 20110114152339 (Fri Jan 14 16:23:39 2011)
> ; Delete: 20110114152839 (Fri Jan 14 16:28:39 2011)
> 
> I started bind, send update for my example zone with NSEC3PARAM:
> 
> Jan 14 16:08:40 named[25297]: general: zone example/IN:
> dns_zone_addnsec3chain(hash=1, iterations=12, salt=28EA1FFF42617C9D59B1)
> Jan 14 16:08:40 named[25297]: general: zone example/IN:
> zone_addnsec3chain(1,CREATE,12,28EA1FFF42617C9D59B1)
> 
> send the rndc sign command:
> 
> Jan 14 16:08:41 named[25297]: general: received control channel command
> 'sign example'
> Jan 14 16:08:41 named[25297]: general: zone example/IN: reconfiguring
> zone keys
> Jan 14 16:08:42 named[25297]: general: zone example/IN:
> zone_addnsec3chain(1,REMOVE|NONSEC,12,28EA1FFF42617C9D59B1)
> Jan 14 16:08:42 named[25297]: general: zone example/IN: next key event:
> 14-Jan-2011 16:13:39.200
> 
> next key event is scheduled for 16:13:39.200 which is correct, and this
> is the key Publish event:
> 
> Jan 14 16:13:39 named[25297]: general: zone example/IN: reconfiguring
> zone keys
> Jan 14 16:13:39 named[25297]: general: zone example/IN: next key event:
> 14-Jan-2011 16:23:39.234
> 
> but what with the Activate event??? in log I just see Publish, Inactive
> and Delete events but without Activate event. zone is just no signed by
> named.
> 
> If I use default settings when generating keys (Created, Publish,
> Activate = NOW), change 'auto-dnssec maintain' to 'auto-dnssec allow'
> and send 'rndc sign example' zone is signed without problems.
> 
> what's going on?
> 
> - -- 
> regards
> 
> zbigniew jasinski
> [SYStem OPerator]
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iQIcBAEBAgAGBQJNNEh0AAoJEH26UYiRhe/g2WoP/i4Ecn5Jq78GFFlJGpde6fyd
> vXN3pwFpWUvDSZqYQfLYMHg4PaI5RNDU2NLfnM0gnMZ83cXz0kw0h9bBj8O/EmXX
> 44+7/wheBnpOijlKItt2IjnBzFKV6uTu6nj5RtpbvTAMTEny0Hy4q41Y8zB8Mt4P
> h0VuTi91q2WmSisa2bYnIKrQzQFR6W+nbPRFpxHyzj3SX2hdoqSBQkbNhmC+nCJR
> nJQQa4u9JKcCtDkQeoRUiUVHNECuZSXMwCukXEagweEadP6EIPhC+TCyUTXKiR7s
> 9jQ/1svVmsKNqqFLgMf2w2x8oKXeAP/PvRzlyZlBwzHHgHBetgPsd1oKcHB9rElM
> /rVNk8nzIadrp0TF7WEy4Ld4GdbwVGbiv0p+vDounPmm4KntwcxyFxpu+PZRs/tp
> zt/z4KYrR+Z+1pNl6ojfg5mD7UTPEmMj9gFHhVuwdrcHP5EH/SkxofDFAB8C0IyX
> LJ3jbKITqmLHhVCDWVLxwXws4/QUOTF/rU48zk1XxaEP80tmKO9PfgCYr4QPz3v4
> UDPMvZyI5r0yqk+V5gxXMjWcbMh9K/lq00Nj4/dXCP9iIlvd0MkKdnfTHuMK5BNN
> OGTrQlVVyGG6+iKU1XXAp0BahVjQnGk46EsKcqUXOjc/4bm/myvfG3WyLFm8okYD
> 412Ik3YKP3YpZvxqc9X6
> =+ZO3
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Kal Feher 