rndc-key has expired

fakessh @ fakessh at fakessh.eu
Wed Mar 23 15:24:41 UTC 2011 

I use and bind  rndc and dlv isc for dnssec 
my zone config like this


zone "renelacroute.fr" {
        type master;
        file "/var/named/renelacroute.fr.hosts";
        auto-dnssec maintain;
        update-policy local;
        key-directory "/var/named/keys/";
        allow-transfer {  213.251.*.*;87.98.*.*; 195.234.*.*;94.23.*.\
*; 193.223.*.*; };
        };


and my log dnssec it is
23-Mar-2011 16:18:17.701 dnssec: debug 2: tsig key 'rndc-key': signature
has expired
23-Mar-2011 16:18:17.701 dnssec: debug 2: tsig key 'rndc-key': signature
has expired
23-Mar-2011 16:18:18.244 dnssec: debug 2: tsig key 'rndc-key': signature
has expired


I can not use the script to validate the answers (for dnssec ) I isc


SUCCESS 94.23.59.30 answered DNSKEY query with rcode NOERROR
5.814:SUCCESS 87.98.164.164 answered DNSKEY query with rcode NOERROR
5.814:SUCCESS 87.98.186.232 answered DNSKEY query with rcode NOERROR
5.814:INFO Total answers: 3
5.815:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.164.164
5.815:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.186.232
5.816:SUCCESS All DNSKEY responses are identical.
5.822:DEBUG VERIFY-DNSKEY: Checking tag=62721 flags=256 alg=RSASHA1
AwEAAb20...UzDMzFplHk=
5.822:DEBUG VERIFY-DNSKEY: Ignoring key.
5.822:DEBUG VERIFY-DNSKEY: Checking tag=48793 flags=257 alg=RSASHA1
AwEAAbj7...WFfCkn7o38=
5.822:DEBUG VERIFY-DNSKEY: Ignoring key.
5.822:INFO VERIFY-DNSKEY: 2 DNSKEYs found.
5.822:INFO VERIFY-DNSKEY: 0 keys found after filtering.
5.822:DEBUG VERIFY-DNSKEY: Using keys:
5.822:DEBUG VERIFY-DNSKEY: To verify rrset type DNSKEY
5.822:FAILURE VERIFY-DNSKEY: No keys found after filtering.
5.822:FAILURE DNSKEY signature did not validate.
5.822:FINAL_FAILURE FAILURE


Le mercredi 23 mars 2011 à 09:29 +0100, Eivind Olsen a écrit :
> > I edit the file named.conf
> > modification
> > update-policy {
> >         grant * self * A TXT;
> >     };
> > to update-policy local;
> > it seems more logical.
> > but I'm still stuck on the validation of isc dlv. the script tells me
> > lost keys
> 
> Which script? What exactly does it say?
> 
> I'm guessing you might have enabled dynamic updates in a DNSSEC signed
> zone, without BIND having access to the private keys needed to sign, but
> that's a wild guess really.
> 
> Regards
> Eivind Olsen
> 
> 
-- 
gpg --keyserver pgp.mit.edu --recv-key 092164A7
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message num?riquement sign?e
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110323/962c3901/attachment.bin>

More information about the bind-users mailing list