Testing RFC 5011 key roll

Evan Hunt each at isc.org
Mon Apr 20 19:12:09 UTC 2015

On Mon, Apr 20, 2015 at 06:42:42PM +0000, Edward Lewis wrote:
> Being that I'm working on a laptop (hence on on over the weekend) I've had
> to recreate the environment today.  I'm a bit more puzzled now.

There's a separate file that named creates to keep the current
managed keys state information -- it's based on the view name,
so in your case it'll be "recursive.mkeys" (and possibly
"recursive.mkeys.jnl").  I suspect it still has the key from
Friday in it, and that's messing things up.  Delete that file and
reinitialize, then leave the server up and running (not forgetting
to use -T mkeytimers=H/D/M, where M is no more than 3600 seconds,
because keyroll.systems rolls its keys every hour and normal RFC
5011 processing can't handle that), and you should be in good shape.

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the bind-users mailing list