KSK signing incomplete

Phil Mayers p.mayers at imperial.ac.uk
Wed May 21 10:39:40 UTC 2014

On 21 May 2014 10:24:23 BST, Klaus Darilion <klaus.mailinglists at pernau.at> wrote:
>> Further, I see that sometimes there are no private records at all.
>> does this happen? (I never called "rndc signing -clear") 
>It seems that this happens when Bind is restarted.
>So, what is the suggested (and reliable) way for external tools to get
>the signing status from Bind? I.e. if a key is still used for signing
>can be deleted?

We bodge this by axfr'ing the zone and parsing the rrsig to see which keys are generating which sigs (or not). Nasty and slow, but reliable, and also lets you look for signatures that haven't been regenerated on schedule.
Sent from my phone with, please excuse brevity and typos

More information about the bind-users mailing list