Testing RFC 5011 key roll

Edward Lewis edward.lewis at icann.org
Tue Apr 21 13:23:12 UTC 2015


I've updated to 9.10.2, adjusted the timers, etc., and have managed to
follow the keyroll.systems test over night (a handful of key changes) plus
still get the desired "AD" bit.

With the timing in mind, I looked at my unbound (I realize this is BIND
users ;)) which wasn't keeping up with the rolls - I had neglected to
speed up it's clock.  Once I did that, it worked.

My lesson is - besides just working out the configuration - testing
RFC5011 takes more patience than just about any other feature of
DNS/DNSSEC.  RFC5011 is the most wall-clock driven mechanism we have.
(Yes, signatures expire and TTL's lapse, but these can be set low in lab

I have a suggestion - is there a way to query a BIND server for it's trust
anchor key set?  Perhaps it is unnecessary and perhaps it should only be
allowed by authorized users.  I say perhaps unnecessary because the
information may be available on disk (which an administrator could get to
via ssh, perhaps).


On 4/20/15, 15:12, "Evan Hunt" <each at isc.org> wrote:

>On Mon, Apr 20, 2015 at 06:42:42PM +0000, Edward Lewis wrote:
>> Being that I'm working on a laptop (hence on on over the weekend) I've
>> to recreate the environment today.  I'm a bit more puzzled now.
>There's a separate file that named creates to keep the current
>managed keys state information -- it's based on the view name,
>so in your case it'll be "recursive.mkeys" (and possibly
>"recursive.mkeys.jnl").  I suspect it still has the key from
>Friday in it, and that's messing things up.  Delete that file and
>reinitialize, then leave the server up and running (not forgetting
>to use -T mkeytimers=H/D/M, where M is no more than 3600 seconds,
>because keyroll.systems rolls its keys every hour and normal RFC
>5011 processing can't handle that), and you should be in good shape.
>Evan Hunt -- each at isc.org
>Internet Systems Consortium, Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4604 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150421/f18e8e6d/attachment.bin>

More information about the bind-users mailing list