ZSK rollover weirdness
Tony Finch
dot at dotat.at
Fri Sep 6 16:39:11 UTC 2013
Lawrence K. Chen, P.Eng. <lkchen at ksu.edu> wrote:
>
> And, the prior ZSK was 14565
>
> ; This is a zone-signing key, keyid 14565, for ksu.edu.
> ; Created: 20130601090000 (Sat Jun 1 04:00:00 2013)
> ; Publish: 20130601090007 (Sat Jun 1 04:00:07 2013)
> ; Activate: 20130601090007 (Sat Jun 1 04:00:07 2013)
> ; Revoke: 20130901090000 (Sun Sep 1 04:00:00 2013)
> ; Inactive: 20130915090000 (Sun Sep 15 04:00:00 2013)
I think your problem here is that the inactive date is after the revoke
date, so the key will still be used to sign the zone after it has been
revoked.
> ; Delete: 20130929090000 (Sun Sep 29 04:00:00 2013)
> ksu.edu. IN DNSKEY 256 3 8 AwEAAc1HU7nrlgFeGLZSgHCytd+BItSNgR5gY4iemDCAX9+z+cpyq/Pe 52kLuFxDjCj89EzdjKFDGAkPRDPImWlTQLCr3WQl8g5SIOs67bBR72hv q2tHmgpK+/j9Z4yqLRyld/Kpl2FRNWc7dvqh8i+Sd0or5WrLO3ocftS1 t3rQaznB
>
> Where is 14693 coming from?
It is the same key as 14565 but the addition of the revoke bit has changed
the tag.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.
More information about the bind-users
mailing list