"auto-dnssec maintain;" and key "missing or inactive and has no replacement"

Tony Finch dot at dotat.at
Wed Jul 24 23:05:35 UTC 2013

Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> 24-Jul-2013 07:39:25.480 zone example/IN (signed): Key example/RSASHA256/46747 missing or inactive and has no replacement: retaining signatures.
> Which I do not understand. They key is there:
> % ls -lt /tmp/bind/Kexample.+008+46747*
> -rw-r--r-- 1 bortzmeyer bortzmeyer  597 Jul 23 12:02 /tmp/bind/Kexample.+008+46747.key
> -rw------- 1 bortzmeyer bortzmeyer 1776 Jul 23 12:02 /tmp/bind/Kexample.+008+46747.private

Obvious question: does BIND have permission to read the private key?
I guess it does since it managed to re-sign.

Does the zone have only one key which is a KSK?

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.

More information about the bind-users mailing list