9.9.1 continues to sign with inactive KSK

Tony Finch dot at dotat.at
Fri May 25 12:16:51 UTC 2012


Axel Rau <Axel.Rau at chaos1.de> wrote:
>
> The tags of the KSKs with their dates are (set with dnssec-settime):
> ---
> [framail.de/KSK/1699/8(A:2012-05-23T17:55:02, I:2012-05-27T17:55:02, D:2012-05-28T17:55:02)]
> [framail.de/KSK/46210/8(A:2012-05-20T16:55:03, I:2012-05-24T16:55:03, D:2012-05-25T16:55:03)]
> ---
> 46210 is inactive and still used to sign DNSKEYs (from  dig +dnssec DNSKEY framail.de. at 2012-05-25T13:55) :
> ---
> framail.de.		86400	IN	RRSIG	DNSKEY 8 2 86400 20120622185603 20120523175603 46210 framail.de...
> framail.de.		86400	IN	RRSIG	DNSKEY 8 2 86400 20120623175502 20120524165502 1699 framail.de...
> ---
> Shouln't named have ceased signing keys with this key?

The 46210 signature's inception date is 2012-05-23 which is before its
key's inactive date 2012-05-24.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Biscay: East 3 or 4, becoming cyclonic 4 or 5, occasionally 6 later. Slight or
moderate. Fog patches at first. Moderate or good, occasionally very poor at
first.



More information about the bind-users mailing list