DNSSEC auto-dnssec issue bind-9.7.2-P3
Zbigniew Jasiński
szopen at nask.pl
Wed Jan 19 11:49:11 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
W dniu 2011-01-17 15:39, Kalman Feher pisze:
> Have you tried more sane times?
>
> Those don't look like sensible times even for a test, which is probably why
> BIND isn't signing. I think you are below the sensitivity level for BIND to
> sign automatically.
>
> If you want to test, try using hours or days as values. When initially
> testing I used lifetimes of a week, then increased to 1 month for ZSKs and 3
> months for KSKs. That allowed me to test things quickly, but without
> compromising the validity of the test.
>
maybe it was little to short for keys, but ok, new keys with new timings:
; Created: 20110119091030 (Wed Jan 19 10:10:30 2011)
; Publish: 20110119091124 (Wed Jan 19 10:11:24 2011)
; Activate: 20110119091224 (Wed Jan 19 10:12:24 2011)
; Inactive: 20110218091224 (Fri Feb 18 10:12:24 2011)
; Delete: 20110218091724 (Fri Feb 18 10:17:24 2011)
and what I've seen in logs:
NSEC3PARAM via dynamic update, and 'rndc sign' command:
Jan 19 10:10:24 named[32664]: update: client 127.0.0.1#65349: updating
zone 'example/IN': adding an RR at 'example' NSEC3PARAM
Jan 19 10:10:24 named[32664]: general: zone example/IN:
dns_zone_addnsec3chain(hash=1, iterations=12, salt=1BDF09CE56C674D422EB)
Jan 19 10:10:24 named[32664]: general: zone example/IN:
zone_addnsec3chain(1,CREATE,12,1BDF09CE56C674D422EB)
Jan 19 10:10:30 named[32664]: general: received control channel command
'sign example'
Jan 19 10:10:30 named[32664]: general: zone example/IN: reconfiguring
zone keys
Jan 19 10:10:30 named[32664]: general: zone example/IN:
zone_addnsec3chain(1,REMOVE|NONSEC,12,1BDF09CE56C674D422EB)
Jan 19 10:10:30 named[32664]: general: zone example/IN: next key event:
19-Jan-2011 10:11:24.765
first key event is Publish:
Jan 19 10:11:24 named[32664]: general: zone example/IN: reconfiguring
zone keys
Jan 19 10:11:24 named[32664]: general: zone example/IN: next key event:
19-Jan-2011 11:11:24.807
second one is Activate which should occur on (Wed Jan 19 10:12:24 2011),
but in log is one hour later, why is that?
but ok, signing zone is most important, so after Activate key event:
Jan 19 11:11:24 named[32664]: general: zone example/IN: reconfiguring
zone keys
Jan 19 11:11:25 named[32664]: general: zone example/IN: next key event:
18-Feb-2011 10:12:24.274
so now I should have a signed zone with KSK/ZSK of one month lifetime.
using dig:
$ dig @127.0.0.1 example dnskey +dnssec +short
257 3 10 AwEAAa7r9QSelP34TYFVWWLhDVU+RU+LI7Fr9N0Hy2xnJ/8TK8sRo+OC
<CUT>
256 3 10 AwEAAa/sFWJDcylO33IQWnpKEve661t0S/K8+AWPy+PSq69xo27WUGRN
<CUT>
so I have both keys in my zone, but without signatures.
I've checked the journal file and there are updates with RRSIG records
but still named is returning answers without signatures.
Any hint?
- --
regards
zbigniew jasinski
[SYStem OPerator]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJNNs+3AAoJEH26UYiRhe/gfRsP/3m2zDBhKPpICiUroC+CUgpw
OKlwGRcwWZFrmea4j7J/zUdS6OPpwh8lsHCftUS17WPhr654guAF7ftf/y8m6dLb
2aYOU1boYv4uDrlu74/bvyt1FngA8LMzNIO2lIP/x53QBqMMuPRTMsC4SpMi4VVc
G04jeVjE7R6RG1kDZspEaaRtbxtQpJobW2seKP90U99FMhwAgqyDFwYdx1zF0vAt
kcDmN+fwGOJUQO1CO8/2jX6AgpMXDGOoG75qCVHB5QzXysW47rzLuewvVB9h/2lU
WNDtmCUIZ50JtfyuOKrz8U6hdbfvRI4iJFdweckniCJ85gyx7fHMP3sgZModRKgW
PdxLjHQ3xOqsBmfGlAaeYSrAx7hryNaUqLE1xGDLkCaX7dywz5sH4kElqpRwGOvf
CvLBJ8df7qGLgX+B5VuAXOzGZxOCOhwBuMiSYwY8F/12tBhzW8nhaRGBuBBj6cAp
7AkFFa/DsqVvCo+sYWt1+ekAt2LQWnE+cDaV2Ar84lG/fMYtvHDfNhdqLa1P6N7S
PG9rdfkv+jh5zlczIoNFVRVhVoPEs2ui28PVw8ArvOnUeeJrl60fdputvcXThUY/
uea6/mDrRCLSUYpV9oyMxDdtR3pz0buD80Gk20HBgI/BHopD6H77DNpDAvy+Q3fF
wgluCpVvogYlj88l1uXZ
=jGrN
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list