botched KSK rollover
/dev/rob0
rob0 at gmx.co.uk
Thu Aug 17 16:31:30 UTC 2017
Oops.
I had it all figured out about 2 months ago and had generated new
keys for ZSK (which I rolled over right away) and KSK. The KSK
change was slated for yesterday, but I forgot to get the DS to the
parent zone before the inactivation of the previous KSK.
Sigh, it sure would be nice if I had a registrar with a means to
automate DS submission. But it's my fault for failing to set a
reminder to do it manually.
I put a bandaid on the problem with dnssec-settime(8). With that I
reactivated the old dead key (this has me feeling a bit like
Frankenstein! :) ) I added a week to inactivation,
# dnssec-settime -I+1w Knodns4.us.+005+60073.key
I thought I should then try deactivating the new one, but
dnssec-settime did not like what I tried:
# dnssec-settime -i6d -S Knodns4.us.+005+60073.key Knodns4.us.+005+16408.key
dnssec-settime: fatal: Predecessor will become inactive before the
prepublication period ends. Either change its inactivation
date, or use the -i option to set a shorter prepublication
interval.
I don't understand this error. 1w > 6d, right?
At this time I have 3 RRSIGs for DNSKEY: from both KSKs and the ZSK.
According to both DNSViz and Verisign's dnssec-debugger this has put
me back in business for the time being. For some reason I am not
successful in wrestling with Godaddy over the new DS, but that's not
a matter for this list.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
More information about the bind-users
mailing list