<div dir="ltr">On Fri, Sep 6, 2013 at 1:32 PM, Lawrence K. Chen, P.Eng. <span dir="ltr"><<a href="mailto:lkchen@ksu.edu" target="_blank">lkchen@ksu.edu</a>></span> wrote:<br><div class="gmail_extra"><div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div><div style="font-size:12pt;font-family:arial,helvetica,sans-serif"><br><br><hr><div class="im"><blockquote style="padding-left:5px;font-size:12pt;font-style:normal;margin-left:5px;font-family:Helvetica,Arial,sans-serif;text-decoration:none;font-weight:normal;border-left:2px solid rgb(16,16,255)">
<div style="font-size:12pt;font-family:arial,helvetica,sans-serif"><br><div style="font-family:arial,helvetica,sans-serif"><br></div><div style="font-family:arial,helvetica,sans-serif">So, can I just remove the Revoke line (is there an option in dnssec-settime to do this?) and have things fixed...</div>
<div style="font-family:arial,helvetica,sans-serif"><br></div><div style="font-family:arial,helvetica,sans-serif"><br></div></div></blockquote></div>guess dnssec-settime -A none -R none will remove it....but guessing there's more to fixing my current mess?</div>
</div></blockquote><div><br></div><div>Adding the revoke bit was not useful, but wasn't in and of itself harmful. The harmful part, and what likely was the cause of validation errors, was that you began exclusively signing your zone contents before it had been pre-published long enough for versions of the DNSKEY RRset without the key to expire in cache. Here's what I see:<br>
<br>2013-09-04 19:15 UTC<br>only ZSK with id 14565 exists and is signing zone<br><a href="http://dnsviz.net/d/ksu.edu/UieG7w/dnssec/">http://dnsviz.net/d/ksu.edu/UieG7w/dnssec/</a><br><br></div><div>2013-09-05 01:38 UTC<br>
</div><div>new ZSK with id 44538 is signing, as is now revoked key 14565 (now with id 14693)<br><a href="http://dnsviz.net/d/ksu.edu/UifggA/dnssec/">http://dnsviz.net/d/ksu.edu/UifggA/dnssec/</a><br><br></div>Somewhere between that roughly six-hour period, the new ZSK was introduced and the RRSIGs made by the new ZSK became the only useful ones since the old key had been marked as revoked. Now consider a validating resolver that retrieved the DNSKEY RRset at 2013-09-04 19:15 UTC. The TTL suggests it can be cached for 24 hours--that is, 18 hours after DNSViz first notes the presence of the new ZSK and RRSIGs that can only be validated by that new ZSK. This example validating resolver will now have issues validating names in <a href="http://ksu.edu">ksu.edu</a> until the cache expires 24 hours after new ZSK was introduced. Such is the window for failure.<br>
<br>Regards,<br>Casey <br></div></div></div>