KSK stays published 3 days after delete time

Axel Rau Axel.Rau at chaos1.de
Fri May 11 10:23:24 UTC 2012

Am 10.05.2012 um 23:52 schrieb Evan Hunt:

>>> key 22924 of framail.de has a delete date of 2012-05-07T14:55:02 set.
>>> It has been deleted from the repository at 2012-05-07T14:55:02.569706,
>>> but is still included by named 9.9.0 in the zone framail.de
>>> (as of 2012-05-10T19:51:32).
>> To clarify: I'm using inline-signing.
>> The repository is the key-directory configured in named.conf.
>> "Deleted" means: My script deleted it.
> Named won't delete the key from the zone unless you explicitly tell
> it to do so.  For all it knows, your key file may have been removed
> by mistake.
> The correct way to remove a key from your zone is to schedule it
> for deletion.  If it already has a successor published, then you can
> schedule the event immediately:
>   $ dnssec-settime -K <repository-path> -D now Kframail.de.+007+13245
That's what I mean with "key 22924 of framail.de has a delete date of
2012-05-07T14:55:02 set".
>   $ rndc loadkeys framail.de
> The -D option says "the key should be deleted after the specified
> time", which in this case is "now".  "rndc loadkeys" tells named to
> examine the keys in the repository and note any changes to the scheduled
> events.  named will see that the specified KSK is scheduled for deletion,
> it will remove it from the DNSKEY RRset, and it will resign the DNSKEY
> RRset wth the remaining key(s).
I have "auto-dnssec maintain;" set and my understanding is, that named
does not require a rndc loadkeys to remove the key from the DNSKEY RRSET
if the delete time, set with  dnssec-settime, has passed.
Is this wrong?
> After that's happened, you can remove the key file from the repository
> if you wish.
> If you still have a copy of the key file, put it back and follow the
> above steps.  Otherwise, I suggest resigning the zone from scratch
> with the remaining keys.  (Update the SOA serial number in the unsigned
> zonefile to something higher than the current serial number in the
> signed zone; move <file>.signed and <file>.signed.jnl to some other
> location; restart named.  A new signed zone should be generated with
> the correct keyset.)

PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius

More information about the bind-users mailing list