auto-dnssec maintain and DNSKEY removal
Mathew Ian Eis
Mathew.Eis at nau.edu
Tue Jul 5 16:20:44 UTC 2016
> How promptly are you deleting the key files?
Any time >= deletion time, varying… we think this could explain why only some of the DNSKEYs are becoming zombies, but not all.
> Are you allowing enough time for named to go through a zone key maintenance cycle? (which is hourly if I remember correctly)
I’m not sure, it sounds like perhaps not always? You’ve mentioned a “zone key maintenance cycle” of an hour, and the docs also casually mention that “by default, this [key] rollover completes in 30 days” .
How long after deletion time is it safe to actually remove the underlying key files, if it isn’t the deletion time itself?
From: Tony Finch <dot at dotat.at>
Date: Monday, July 4, 2016 at 8:08 AM
To: Mathew Eis <Mathew.Eis at nau.edu>
Cc: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
Subject: Re: auto-dnssec maintain and DNSKEY removal
Mathew Ian Eis <Mathew.Eis at nau.edu> wrote:
> We think that in some cases, named may be choosing to use a key past the
> removal date (as in ), while our file maintenance process removes the
> keys as per their deletion date – after which named no longer has the
> necessary metadata to determine whether or not to remove the DNSKEY from
> the zone.
How promptly are you deleting the key files? Are you allowing enough time
for named to go through a zone key maintenance cycle? (which is hourly if
I remember correctly)
> Lastly, so long as a zone is properly signed with a different key, are
> there any concerns with manually removing the zombie DNSKEY records via
> an update even while auto-dnssec maintain is enabled?
I believe that should work.
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
North Rockall: Westerly or northwesterly 3 or 4, increasing 5 at times.
Moderate. Showers. Good.
More information about the bind-users