rndc-key has expired

fakessh @ fakessh at fakessh.eu
Wed Mar 23 18:40:52 UTC 2011 

hi isc
hi list
hi guru of bind


errors continue to recur rndc-key expired

But I apply the command for create the key
dnssec-keygen -a HMAC-MD5 -b 512 -n HOST rndc-key

Le mercredi 23 mars 2011 à 16:24 +0100, fakessh @ a écrit :
> I use and bind  rndc and dlv isc for dnssec 
> my zone config like this
> 
> 
> zone "renelacroute.fr" {
>         type master;
>         file "/var/named/renelacroute.fr.hosts";
>         auto-dnssec maintain;
>         update-policy local;
>         key-directory "/var/named/keys/";
>         allow-transfer {  213.251.*.*;87.98.*.*; 195.234.*.*;94.23.*.\
> *; 193.223.*.*; };
>         };
> 
> 
> and my log dnssec it is
> 23-Mar-2011 16:18:17.701 dnssec: debug 2: tsig key 'rndc-key': signature
> has expired
> 23-Mar-2011 16:18:17.701 dnssec: debug 2: tsig key 'rndc-key': signature
> has expired
> 23-Mar-2011 16:18:18.244 dnssec: debug 2: tsig key 'rndc-key': signature
> has expired
> 
> 
> I can not use the script to validate the answers (for dnssec ) I isc
> 
> 
> SUCCESS 94.23.59.30 answered DNSKEY query with rcode NOERROR
> 5.814:SUCCESS 87.98.164.164 answered DNSKEY query with rcode NOERROR
> 5.814:SUCCESS 87.98.186.232 answered DNSKEY query with rcode NOERROR
> 5.814:INFO Total answers: 3
> 5.815:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.164.164
> 5.815:DEBUG COMPARE: Comparing results from 94.23.59.30 to 87.98.186.232
> 5.816:SUCCESS All DNSKEY responses are identical.
> 5.822:DEBUG VERIFY-DNSKEY: Checking tag=62721 flags=256 alg=RSASHA1
> AwEAAb20...UzDMzFplHk=
> 5.822:DEBUG VERIFY-DNSKEY: Ignoring key.
> 5.822:DEBUG VERIFY-DNSKEY: Checking tag=48793 flags=257 alg=RSASHA1
> AwEAAbj7...WFfCkn7o38=
> 5.822:DEBUG VERIFY-DNSKEY: Ignoring key.
> 5.822:INFO VERIFY-DNSKEY: 2 DNSKEYs found.
> 5.822:INFO VERIFY-DNSKEY: 0 keys found after filtering.
> 5.822:DEBUG VERIFY-DNSKEY: Using keys:
> 5.822:DEBUG VERIFY-DNSKEY: To verify rrset type DNSKEY
> 5.822:FAILURE VERIFY-DNSKEY: No keys found after filtering.
> 5.822:FAILURE DNSKEY signature did not validate.
> 5.822:FINAL_FAILURE FAILURE
> 
> 
> Le mercredi 23 mars 2011 à 09:29 +0100, Eivind Olsen a écrit :
> > > I edit the file named.conf
> > > modification
> > > update-policy {
> > >         grant * self * A TXT;
> > >     };
> > > to update-policy local;
> > > it seems more logical.
> > > but I'm still stuck on the validation of isc dlv. the script tells me
> > > lost keys
> > 
> > Which script? What exactly does it say?
> > 
> > I'm guessing you might have enabled dynamic updates in a DNSSEC signed
> > zone, without BIND having access to the private keys needed to sign, but
> > that's a wild guess really.
> > 
> > Regards
> > Eivind Olsen
> > 
> > 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
gpg --keyserver pgp.mit.edu --recv-key 092164A7
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message num?riquement sign?e
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110323/9bf63066/attachment.bin>

More information about the bind-users mailing list