Recovering from over enthusiastic key cleanup...

Warren Kumari warren at kumari.net
Thu Feb 2 23:11:56 UTC 2012


On Feb 2, 2012, at 11:43 AM, Spain, Dr. Jeffry A. wrote:

>> So, is there:
>> A: an easy way to figure out what keyfiles are no longer being used / referenced?
>> B: a simpler way to recover from this when one *does* make a boo boo?
> 
> What a fun evening. For the sake of interest, which version of bind is in use?


Doh. I always get annoyed with folk forget to include this... and then I did it :-P

BIND 9.8.1-P1 built with '--with-openssl=yes' '--with-randomdev=/dev/urandom' '--enable-threads'
using OpenSSL version: OpenSSL 0.9.8o 01 Jun 2010



> With regard to item A, how about executing the following from your key directory:
> 
> for f in *.private; do echo; echo $f; dnssec-settime -p all "$f"; done
> 
> Any key file for which the Inactive time is in the past would not be needed for signing. Bind would publish it in the zone if the key file were present and the Delete time were in the future (and the Publish time in the past). Any key for which the Delete time is in the past would not need to be retained in the key directory, as it would not be needed for publication or signing.

Hmmm. Yeah, that will work...

Thanks
W


> 
> With regard to B, I don't understand why restoring the deleted key files didn't fix the problem, and so will leave further comment to the experts.
> 
> Jeffry A. Spain
> Network Administrator
> Cincinnati Country Day School
> 




More information about the bind-users mailing list