inactivating and deleting DNSSEC keys
alan at clegg.com
Tue Oct 8 22:59:47 UTC 2013
On Oct 8, 2013, at 6:51 PM, Alan Clegg <alan at clegg.com> wrote:
> On Oct 8, 2013, at 6:42 PM, David Newman <dnewman at networktest.com> wrote:
>> Problem is, dig says the key is still active, and will be until 29
>> October 2013:
>> $ dig networktest.com @localhost +multi rrsig | grep 56989
>> 20131029191450 20130929181450 56989 networktest.com.
> You don't provide all of the record. It's an RRSIG that is still within it's lifetime.
> Do a dig for "DNSKEY" retype at the zone name and see what you get back.
That was "type" not "retype".
Anyway, this brings up a request that I've made that all RRSIG records be removed if the associated DNSKEYs are removed, but at this point, it's not the default. This taken from "man dnssec-signzone":
Remove signatures from keys that no longer exist.
Normally, when a previously-signed zone is passed as input to the
signer, and a DNSKEY record has been removed and replaced with a
new one, signatures from the old key that are still within their
validity period are retained. This allows the zone to continue to
validate with cached copies of the old DNSKEY RRset. The -R forces
dnssec-signzone to remove all orphaned signatures.
I believe that this should be the default behavior (otherwise, we get double signatures when rolling ZSKs)..
The point of doing all of the timing calculation surrounding key rollover is to solve the problem of those cached keys, I don't think that dnssec-signzone (or the automated signing) is doing anyone a favor.
Or there needs to be a zone (and global) specific option that allows the same "-R" behavior during automated rollovers.
Alan Clegg | +1-919-355-8851 | alan at clegg.com
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the bind-users