9.9.1 continues to sign with inactive KSK

Axel Rau Axel.Rau at chaos1.de
Fri May 25 22:10:38 UTC 2012


Am 25.05.2012 um 14:16 schrieb Tony Finch:

> Axel Rau <Axel.Rau at chaos1.de> wrote:
>> 
>> The tags of the KSKs with their dates are (set with dnssec-settime):
>> ---
>> [framail.de/KSK/1699/8(A:2012-05-23T17:55:02, I:2012-05-27T17:55:02, D:2012-05-28T17:55:02)]
>> [framail.de/KSK/46210/8(A:2012-05-20T16:55:03, I:2012-05-24T16:55:03, D:2012-05-25T16:55:03)]
>> ---
>> 46210 is inactive and still used to sign DNSKEYs (from  dig +dnssec DNSKEY framail.de. at 2012-05-25T13:55) :
>> ---
>> framail.de.		86400	IN	RRSIG	DNSKEY 8 2 86400 20120622185603 20120523175603 46210 framail.de...
>> framail.de.		86400	IN	RRSIG	DNSKEY 8 2 86400 20120623175502 20120524165502 1699 framail.de...
>> ---
>> Shouln't named have ceased signing keys with this key?
> 
> The 46210 signature's inception date is 2012-05-23 which is before its
> key's inactive date 2012-05-24.
That's true, but this sig does not live until its expire time at 2012-06-22.
In my case, it disappeared on 2012-05-26 between 15:55 and 16:55.

Questions:
Why did it disappear at that time?
In general terms, at which point of time can I be sure that all sigs are removed?

Axel
---
PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius




More information about the bind-users mailing list