"Key <foo>: Delaying activation to match the DNSKEY TTL."

Paul B. Henson henson at acm.org
Thu Jul 7 00:19:26 UTC 2011 

On Tue, Jul 05, 2011 at 07:34:22PM -0700, Evan Hunt wrote:
 
> The key is being published now, and its activation date (i.e., when it
> will start to be used to sign records) is in the near future: less than
> the TTL of the DNSKEY record from now.
> 
> When the key starts signing, then someone could get an RRSIG generated by
> that key... but, if that same someone had a cached copy of the DNSKEY
> record from *before* the key was published, then validation could fail.
> 
> So, what it's telling you is that named won't start signing records with
> this key until after the old DNSKEY record is guaranteed to have expired
> out of all the resolver caches.

Hmm, thanks for the explanation. However, for this case, while the
activation date was in the near future, the *publish* date was far in
the past.

Per the log output from my update script (which runs dnssec-signzone
behind the scenes):

Jun 30 17:07:26 dns_update[8373]: warning:     Key
csupomona.edu/RSASHA256/17755: Delaying activation to match the DNSKEY
TTL. (sign_zone)
Jun 30 17:07:26 dns_update[8373]: warning:     Key
csupomona.edu/RSASHA256/1161: Delaying activation to match the DNSKEY
TTL. (sign_zone)

And the corresponding key timing info:

$ dnssec-settime -p all Kcsupomona.edu.+008+17755.key 
Created: Thu Jul  8 19:05:30 2010
Publish: Thu Jul  8 19:05:30 2010
Activate: Fri Jul  1 00:00:00 2011
Revoke: UNSET
Inactive: Sun Jul  1 00:00:00 2012
Delete: Tue Jul  3 00:00:00 2012

$ dnssec-settime -p all Kcsupomona.edu.+008+01161.key 
Created: Wed Jun  1 00:02:02 2011
Publish: Wed Jun  1 00:02:02 2011
Activate: Fri Jul  1 00:00:00 2011
Revoke: UNSET
Inactive: Mon Aug  1 00:00:00 2011
Delete: Wed Aug  3 00:00:00 2011

I was rolling both the ZSK and my KSK, the first should have been
published for the last month, the second for the last year?

Wait, how does dnssec-signzone know whether or not a key has been
published or not? I could have created a key 10 seconds ago and set a
publication date of last year, and what would distingish that from a key
actually created and published last year?


-- 
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  henson at csupomona.edu
California State Polytechnic University  |  Pomona CA 91768

More information about the bind-users mailing list