<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">A couple of weeks ago I found a DNSSEC key rollover problem with bind 9.9.0b2. See
<a href="https://lists.isc.org/pipermail/bind-users/2011-December/086063.html">https://lists.isc.org/pipermail/bind-users/2011-December/086063.html</a>. This appears to have persisted after upgrading to bind 9.9.0rc1 this afternoon.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">See <a href="http://dnsviz.net/d/jaspain.net/dnssec/">http://dnsviz.net/d/jaspain.net/dnssec/</a>. The RRSIGs on the jaspain.net AAAA, A, and TXT RRSets signed by ZSK 35297 expired on 12/17/2011, and those RRSets have not been resigned
with the new ZSK 42152.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The metadata for ZSK 35297 calls for it to have become inactive on 12/12/2011 (at zero hours UTC) and for it to be deleted on 1/16/2012. The metadata for the new ZSK 42152 calls for it to have been published on 9/8/2011 and activated on
12/11/2011. The jaspain.net SOA RRSet was signed by ZSK 35297 on 12/10/2011 and by ZSK 42152 at the same time. Following today’s upgrade to RC1 the signature by ZSK 35297 on the SOA RRSet was removed.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">As I understand it, bind should be resigning RRSets automatically to prevent such signature expirations.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This particular zone is configured for in-line signing from a locally stored copy of the unsigned zone:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">zone "jaspain.net" {<o:p></o:p></p>
<p class="MsoNormal"> type master;<o:p></o:p></p>
<p class="MsoNormal"> file "/var/lib/bind/jaspain.net/jaspain.net.db";<o:p></o:p></p>
<p class="MsoNormal"> key-directory "/var/lib/bind/jaspain.net";<o:p></o:p></p>
<p class="MsoNormal"> update-policy local;<o:p></o:p></p>
<p class="MsoNormal"> auto-dnssec maintain;<o:p></o:p></p>
<p class="MsoNormal"> inline-signing yes;<o:p></o:p></p>
<p class="MsoNormal"> also-notify { 2001:4870:20ca:158:14ff:7695:9632:e9ec; };<o:p></o:p></p>
<p class="MsoNormal">};<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks for any ideas you may have about what has gone wrong.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Jeffry A. Spain<br>
Network Administrator<br>
</span><span style="color:blue">Cincinnati Country Day School</span><span style="color:#1F497D"><br>
<br>
</span><o:p></o:p></p>
</div>
</body>
</html>