"Key <foo>: Delaying activation to match the DNSKEY TTL."
Paul B. Henson
henson at acm.org
Thu Jul 7 00:19:26 UTC 2011
On Tue, Jul 05, 2011 at 07:34:22PM -0700, Evan Hunt wrote:
> The key is being published now, and its activation date (i.e., when it
> will start to be used to sign records) is in the near future: less than
> the TTL of the DNSKEY record from now.
>
> When the key starts signing, then someone could get an RRSIG generated by
> that key... but, if that same someone had a cached copy of the DNSKEY
> record from *before* the key was published, then validation could fail.
>
> So, what it's telling you is that named won't start signing records with
> this key until after the old DNSKEY record is guaranteed to have expired
> out of all the resolver caches.
Hmm, thanks for the explanation. However, for this case, while the
activation date was in the near future, the *publish* date was far in
the past.
Per the log output from my update script (which runs dnssec-signzone
behind the scenes):
Jun 30 17:07:26 dns_update[8373]: warning: Key
csupomona.edu/RSASHA256/17755: Delaying activation to match the DNSKEY
TTL. (sign_zone)
Jun 30 17:07:26 dns_update[8373]: warning: Key
csupomona.edu/RSASHA256/1161: Delaying activation to match the DNSKEY
TTL. (sign_zone)
And the corresponding key timing info:
$ dnssec-settime -p all Kcsupomona.edu.+008+17755.key
Created: Thu Jul 8 19:05:30 2010
Publish: Thu Jul 8 19:05:30 2010
Activate: Fri Jul 1 00:00:00 2011
Revoke: UNSET
Inactive: Sun Jul 1 00:00:00 2012
Delete: Tue Jul 3 00:00:00 2012
$ dnssec-settime -p all Kcsupomona.edu.+008+01161.key
Created: Wed Jun 1 00:02:02 2011
Publish: Wed Jun 1 00:02:02 2011
Activate: Fri Jul 1 00:00:00 2011
Revoke: UNSET
Inactive: Mon Aug 1 00:00:00 2011
Delete: Wed Aug 3 00:00:00 2011
I was rolling both the ZSK and my KSK, the first should have been
published for the last month, the second for the last year?
Wait, how does dnssec-signzone know whether or not a key has been
published or not? I could have created a key 10 seconds ago and set a
publication date of last year, and what would distingish that from a key
actually created and published last year?
--
Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst | henson at csupomona.edu
California State Polytechnic University | Pomona CA 91768
More information about the bind-users
mailing list