Recovering from over enthusiastic key cleanup...
Spain, Dr. Jeffry A.
spainj at countryday.net
Thu Feb 2 16:43:29 UTC 2012
> So, is there:
> A: an easy way to figure out what keyfiles are no longer being used / referenced?
> B: a simpler way to recover from this when one *does* make a boo boo?
What a fun evening. For the sake of interest, which version of bind is in use? With regard to item A, how about executing the following from your key directory:
for f in *.private; do echo; echo $f; dnssec-settime -p all "$f"; done
Any key file for which the Inactive time is in the past would not be needed for signing. Bind would publish it in the zone if the key file were present and the Delete time were in the future (and the Publish time in the past). Any key for which the Delete time is in the past would not need to be retained in the key directory, as it would not be needed for publication or signing.
With regard to B, I don't understand why restoring the deleted key files didn't fix the problem, and so will leave further comment to the experts.
Jeffry A. Spain
Network Administrator
Cincinnati Country Day School
More information about the bind-users
mailing list