botched KSK rollover

Michał Kępień michal at isc.org
Fri Aug 18 11:57:11 UTC 2017


> I added a week to inactivation,
> 
> # dnssec-settime -I+1w Knodns4.us.+005+60073.key
> 
> I thought I should then try deactivating the new one,

I am not sure whether this is really what you wanted to achieve, but in
any case "dnssec-settime -i ... -S ..." only sets publication and
activation dates for the successor key, not its inactivation date.

> but 
> dnssec-settime did not like what I tried:
> 
> # dnssec-settime -i6d -S Knodns4.us.+005+60073.key Knodns4.us.+005+16408.key
> dnssec-settime: fatal: Predecessor will become inactive before the
>         prepublication period ends.  Either change its inactivation 
>         date, or use the -i option to set a shorter prepublication 
>         interval.
> 
> I don't understand this error.  1w > 6d, right?

I checked the code and it seems to be a bug.  A fix is in review:

    https://bugs.isc.org/Public/Bug/Display.html?id=45806

Thank you for reporting!

-- 
Best regards,
Michał Kępień


More information about the bind-users mailing list