KSK signing incomplete

Klaus Darilion klaus.mailinglists at pernau.at
Wed May 21 11:55:44 UTC 2014

On 21.05.2014 12:39, Phil Mayers wrote:
> On 21 May 2014 10:24:23 BST, Klaus Darilion <klaus.mailinglists at pernau.at> wrote:
>>> Further, I see that sometimes there are no private records at all.
>> When
>>> does this happen? (I never called "rndc signing -clear") 
>> It seems that this happens when Bind is restarted.
>> So, what is the suggested (and reliable) way for external tools to get
>> the signing status from Bind? I.e. if a key is still used for signing
>> or
>> can be deleted?
>> Thanks
>> Klaus
> We bodge this by axfr'ing the zone and parsing the rrsig to see which keys are generating which sigs (or not). Nasty and slow, but reliable, and also lets you look for signatures that haven't been regenerated on schedule.

That's actually what I wanted to avoid. I thought there will be an "API"
or similar to get the signing status of the zone and thought that the
private records will solve my troubles, but it seems I was wrong.

I think I will do something similar - not nice if you have plenty of
zones ...


More information about the bind-users mailing list