inactivating and deleting DNSSEC keys
Alan Clegg
alan at clegg.com
Tue Oct 8 22:51:11 UTC 2013
On Oct 8, 2013, at 6:42 PM, David Newman <dnewman at networktest.com> wrote:
> bind 9.9.4
>
> How to troubleshoot issues when keys are supposed to be invalidated or
> deleted on specific dates, but aren't?
>
> In this case, a KSK was supposed to be inactivated on 29 September 2013
> and deleted on 9 October 2013.
>
> From the .key file:
>
> ; This is a key-signing key, keyid 56989, for networktest.com.
> ; Created: 20130723214837 (Tue Jul 23 14:48:37 2013)
> ; Publish: 20130723214837 (Tue Jul 23 14:48:37 2013)
> ; Activate: 20130723214837 (Tue Jul 23 14:48:37 2013)
> ; Inactive: 20130929201510 (Sun Sep 29 13:15:10 2013)
> ; Delete: 20131009201510 (Wed Oct 9 13:15:10 2013)
>
> Problem is, dig says the key is still active, and will be until 29
> October 2013:
>
> $ dig networktest.com @localhost +multi rrsig | grep 56989
>
> 20131029191450 20130929181450 56989 networktest.com.
You don't provide all of the record. It's an RRSIG that is still within it's lifetime.
Do a dig for "DNSKEY" retype at the zone name and see what you get back.
AlanC
--
Alan Clegg | +1-919-355-8851 | alan at clegg.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20131008/29f575b4/attachment.bin>
More information about the bind-users
mailing list