botched KSK rollover
Michał Kępień
michal at isc.org
Fri Aug 18 11:57:11 UTC 2017
> I added a week to inactivation,
>
> # dnssec-settime -I+1w Knodns4.us.+005+60073.key
>
> I thought I should then try deactivating the new one,
I am not sure whether this is really what you wanted to achieve, but in
any case "dnssec-settime -i ... -S ..." only sets publication and
activation dates for the successor key, not its inactivation date.
> but
> dnssec-settime did not like what I tried:
>
> # dnssec-settime -i6d -S Knodns4.us.+005+60073.key Knodns4.us.+005+16408.key
> dnssec-settime: fatal: Predecessor will become inactive before the
> prepublication period ends. Either change its inactivation
> date, or use the -i option to set a shorter prepublication
> interval.
>
> I don't understand this error. 1w > 6d, right?
I checked the code and it seems to be a bug. A fix is in review:
https://bugs.isc.org/Public/Bug/Display.html?id=45806
Thank you for reporting!
--
Best regards,
Michał Kępień
More information about the bind-users
mailing list