<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cordia New";
panose-1:2 11 3 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:1296644728;
mso-list-type:hybrid;
mso-list-template-ids:1581561682 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level4
{mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level7
{mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal>Hi,<o:p></o:p></p>
<p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo1'><![if !supportLists]><span
style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'>
</span></span><![endif]>my server use key id 23412 first and then 40767<o:p></o:p></p>
<p class=MsoListParagraph><o:p> </o:p></p>
<p class=MsoListParagraph>[root@dnssec keys]# dnssec-settime -p all
Kexample.com.+005+23412<o:p></o:p></p>
<p class=MsoListParagraph>Created: Wed Jul 30 14:56:09 2014<o:p></o:p></p>
<p class=MsoListParagraph>Publish: Wed Jul 30 14:56:09 2014<o:p></o:p></p>
<p class=MsoListParagraph>Activate: Fri Aug 1 14:56:09 2014<o:p></o:p></p>
<p class=MsoListParagraph>Revoke: UNSET<o:p></o:p></p>
<p class=MsoListParagraph>Inactive: Sun Aug 31 14:56:09 2014<o:p></o:p></p>
<p class=MsoListParagraph>Delete: Mon Sep 1 14:56:09 2014<o:p></o:p></p>
<p class=MsoListParagraph>[root@dnssec keys]# dnssec-settime -p all
Kexample.com.+005+40767<o:p></o:p></p>
<p class=MsoListParagraph>Created: Thu Aug 7 15:59:03 2014<o:p></o:p></p>
<p class=MsoListParagraph>Publish: Fri Aug 29 14:56:09 2014<o:p></o:p></p>
<p class=MsoListParagraph>Activate: Sun Aug 31 14:56:09 2014<o:p></o:p></p>
<p class=MsoListParagraph>Revoke: UNSET<o:p></o:p></p>
<p class=MsoListParagraph>Inactive: Tue Sep 30 14:56:09 2014<o:p></o:p></p>
<p class=MsoListParagraph>Delete: Wed Oct 1 14:56:09 2014<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo1'><![if !supportLists]><span
style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'>
</span></span><![endif]>In order to test changing a new ZSK,I set the OS clock
to be future time at Aug 31 14:56:08 2014..Now it is Aug 7 2014. Then I
wait 2-3 secs to ensure that bind activate new ZSK id 40767 and inactivate
old ZSK id 23412.<o:p></o:p></p>
<p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo1'><![if !supportLists]><span
style='mso-list:Ignore'>3.<span style='font:7.0pt "Times New Roman"'>
</span></span><![endif]>I use dig to check whether bind activate new key
correctly or not but I notice there is some dns records which are signed by new
key and some dns records are signed by old key. In therory,After new ZSK is
activated.All dns records must be signed with new key.<o:p></o:p></p>
<p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo1'><![if !supportLists]><span
style='mso-list:Ignore'>4.<span style='font:7.0pt "Times New Roman"'>
</span></span><![endif]>This is result.<o:p></o:p></p>
<p class=MsoListParagraph><o:p> </o:p></p>
<p class=MsoListParagraph>[root@dnssec keys]# dig @10.10.10.203 example.com any
+dnssec +multiline<o:p></o:p></p>
<p class=MsoListParagraph><o:p> </o:p></p>
<p class=MsoListParagraph>; <<>> DiG
9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @10.10.10.203
example.com any +dnssec +multiline<o:p></o:p></p>
<p class=MsoListParagraph>; (1 server found)<o:p></o:p></p>
<p class=MsoListParagraph>;; global options: +cmd<o:p></o:p></p>
<p class=MsoListParagraph>;; Got answer:<o:p></o:p></p>
<p class=MsoListParagraph>;; ->>HEADER<<- opcode: QUERY, status:
NOERROR, id: 5421<o:p></o:p></p>
<p class=MsoListParagraph>;; flags: qr aa rd; QUERY: 1, ANSWER: 15, AUTHORITY:
0, ADDITIONAL: 3<o:p></o:p></p>
<p class=MsoListParagraph>;; WARNING: recursion requested but not available<o:p></o:p></p>
<p class=MsoListParagraph><o:p> </o:p></p>
<p class=MsoListParagraph>;; OPT PSEUDOSECTION:<o:p></o:p></p>
<p class=MsoListParagraph>; EDNS: version: 0, flags: do; udp: 4096<o:p></o:p></p>
<p class=MsoListParagraph>;; QUESTION SECTION:<o:p></o:p></p>
<p class=MsoListParagraph>;example.com.
IN ANY<o:p></o:p></p>
<p class=MsoListParagraph><o:p> </o:p></p>
<p class=MsoListParagraph>;; ANSWER SECTION:<o:p></o:p></p>
<p class=MsoListParagraph><span style='color:red'>example.com.
86400 IN RRSIG NS 5 2 86400 20140928075513 (<o:p></o:p></span></p>
<p class=MsoListParagraph><span style='color:red'>
20140829070015 </span><span style='color:#0070C0'>23412</span><span
style='color:red'> example.com.<o:p></o:p></span></p>
<p class=MsoListParagraph><span style='color:red'>
lggwXqqh5PwYcNFqjVQEPKuLoJANDzsLJ7pAFtgIF6wh<o:p></o:p></span></p>
<p class=MsoListParagraph><span style='color:red'>
EMtxKFN+Y4SXx6O/OcHrGgxcwYRV+/yN3YHAj55sq0ax<o:p></o:p></span></p>
<p class=MsoListParagraph><span style='color:red'>
sp3uBI0YvOrwrmQeqaIqeMynzafehrwTHLeMxTMkimlT<o:p></o:p></span></p>
<p class=MsoListParagraph><span style='color:red'>
JakSvRLglpCtpNw0n2xUMkFo4MM6dN/0NzANSdw= )<o:p></o:p></span></p>
<p class=MsoListParagraph>example.com.
86400 IN RRSIG NSEC 5 2 86400 20140928075513 (<o:p></o:p></p>
<p class=MsoListParagraph>
20140829070015 23412 example.com.<o:p></o:p></p>
<p class=MsoListParagraph>
PkgjBT8SE24O5gFktr6XncfoB/KHcW1chVvlDhiFtzS+<o:p></o:p></p>
<p class=MsoListParagraph>
bagayzo5r8uzw0frlVSN3JEbxRJSVX/55uahgYuzhCj/<o:p></o:p></p>
<p class=MsoListParagraph>
F/dfGnQ9PRn1+1DjhFTFO0IzHBqN0LmyAhbOTrwQMyrN<o:p></o:p></p>
<p class=MsoListParagraph>
aJnckwAFAJoPOIA+N8dcT8rIT9jK/Bhdmi0+NRo= )<o:p></o:p></p>
<p class=MsoListParagraph>example.com.
86400 IN NSEC ns.example.com. NS SOA RRSIG NSEC DNSKEY TYPE65534<o:p></o:p></p>
<p class=MsoListParagraph><span style='color:red'>example.com.
86400 IN RRSIG SOA 5 2 86400 20140930075609 (<o:p></o:p></span></p>
<p class=MsoListParagraph><span style='color:red'>
20140831065609 </span><span style='color:#0070C0'>40767</span><span
style='color:red'> example.com.<o:p></o:p></span></p>
<p class=MsoListParagraph><span style='color:red'>
dA4v0mEU0stMci6TcwH3iWKc2iqgx/tt5fjfMdHqHSoG<o:p></o:p></span></p>
<p class=MsoListParagraph><span style='color:red'>
XnzDMiQBxT7qucQ7ixN9ocaQUsCqCWgOgGL6SLW4/Qja<o:p></o:p></span></p>
<p class=MsoListParagraph><span style='color:red'>
iIi78dvtlU2JKVNCC5qnJudn5MlUS1/VSToDY9CqKO4Z<o:p></o:p></span></p>
<p class=MsoListParagraph><span style='color:red'>
BnrvlfvoRWJv/IlRqSXdG5taB8zvAw3drzaHO/E= )<o:p></o:p></span></p>
<p class=MsoListParagraph>example.com.
0 IN RRSIG TYPE65534 5 2 0 20140928075513 (<o:p></o:p></p>
<p class=MsoListParagraph>
20140829070015 23412 example.com.<o:p></o:p></p>
<p class=MsoListParagraph>
ynK/o9xUhkLTxmfUMsUZ+Lroi9ov5n6p1X2adr0PsNbY<o:p></o:p></p>
<p class=MsoListParagraph>
WQqG0qBQgzQqH6a6TDcCS/d8SFMJCl0duf8y4nlytDUV<o:p></o:p></p>
<p class=MsoListParagraph>
6z2psdUNt6or8xPHTdCDPJKFLMxzFV8gpD5oxPLS3DeU<o:p></o:p></p>
<p class=MsoListParagraph>
C27+SFEpCzKtgwjxGkHzZabNesK6WKSoPwQFvaw= )<o:p></o:p></p>
<p class=MsoListParagraph>example.com.
86400 IN RRSIG DNSKEY 5 2 86400 20140930075609 (<o:p></o:p></p>
<p class=MsoListParagraph>
20140831065609 5554 example.com.<o:p></o:p></p>
<p class=MsoListParagraph>
Vb502xsTCsQDRMDt3/f5Q28XC9c908GGIZzgAP4jeHXa<o:p></o:p></p>
<p class=MsoListParagraph>
hGdhXP/lVcZw38bJplw7t9ysgJyyeSzdULTAQbyMy+Fd<o:p></o:p></p>
<p class=MsoListParagraph>
gTzjGqRz1elme1AkrguUHNmee/MvP1Sgkmj+UOENBaN/<o:p></o:p></p>
<p class=MsoListParagraph>
ubqh9ywJcRsYK7RqfN1B6xLIyB8WDwcrpvroD8iwJmP1<o:p></o:p></p>
<p class=MsoListParagraph>
CZYN+xrhvq/0ancfMUguLAHsfRh4ldxKZ4oy/NrkJJbp<o:p></o:p></p>
<p class=MsoListParagraph>
3a2yO0O99D6RZQ== )<o:p></o:p></p>
<p class=MsoListParagraph>example.com.
86400 IN RRSIG DNSKEY 5 2 86400 20140930075609 (<o:p></o:p></p>
<p class=MsoListParagraph>
20140831065609 40767 example.com.<o:p></o:p></p>
<p class=MsoListParagraph>
dH6x9qaiE49/jMve7Uv7cOIYh6L4YPz9WEFydRv6euqQ<o:p></o:p></p>
<p class=MsoListParagraph>
B7Zj4tX2aoruJxvupHn0hgzVyS4EtIfdsXTOOyLCxghl<o:p></o:p></p>
<p class=MsoListParagraph>
j3//Gfv7Y+kf14hm+MCVIHqbpq9J2FHAHTK3WgTgMAXX<o:p></o:p></p>
<p class=MsoListParagraph>
2SfYcrW676TQ1zWlpAUHKFPDwPwGB3CTzszu3vE= )<o:p></o:p></p>
<p class=MsoListParagraph>example.com.
0 IN TYPE65534 \# 5 ( 059F3F0000 )<o:p></o:p></p>
<p class=MsoListParagraph>example.com.
0 IN TYPE65534 \# 5 ( 0515B20001 )<o:p></o:p></p>
<p class=MsoListParagraph>example.com.
0 IN TYPE65534 \# 5 ( 055B740001 )<o:p></o:p></p>
<p class=MsoListParagraph>example.com.
86400 IN DNSKEY 256 3 5 (<o:p></o:p></p>
<p class=MsoListParagraph>
AwEAAaB5OP8VxbRihmF2d6woYO266+SFlGsj5xwcDiF2<o:p></o:p></p>
<p class=MsoListParagraph>
ctMKazuasvGyCtkuqbfEJWYfyAumQlObAbKuuR59qoQo<o:p></o:p></p>
<p class=MsoListParagraph>
hCSwmzXH67gUrKjhAQfQKFa2KmzrcVe+hyQtAVzWoHgK<o:p></o:p></p>
<p class=MsoListParagraph>
ff7t8LgbESPwEqwgmvT97rxjyZHHFVkttXxXfZ+GkzZj<o:p></o:p></p>
<p class=MsoListParagraph>
) ; key id = 40767<o:p></o:p></p>
<p class=MsoListParagraph>example.com.
86400 IN DNSKEY 256 3 5 (<o:p></o:p></p>
<p class=MsoListParagraph>
AwEAAdz+HnGTt4MKPecTfEmTgdGLKT1AAFzub8vkmpSu<o:p></o:p></p>
<p class=MsoListParagraph>
3J8phU4GHEXFl81I8klDIC2vMbgXRL4ZbOe1wBvK7tq+<o:p></o:p></p>
<p class=MsoListParagraph>
i4m6YliYOm4rIiWX2lc7hh+pj2WI4h2KgHalUCjB4Zwf<o:p></o:p></p>
<p class=MsoListParagraph>
U5vR4biVdCJ6p+JEvo7AJMDXyWUhJsLRqcpHDtao3Rn/<o:p></o:p></p>
<p class=MsoListParagraph>
) ; key id = 23412<o:p></o:p></p>
<p class=MsoListParagraph>example.com.
86400 IN DNSKEY 257 3 5 (<o:p></o:p></p>
<p class=MsoListParagraph>
AwEAAb2FS/90WOx0xXHkaYRth7DTvdeEoIhsWAsOx8TR<o:p></o:p></p>
<p class=MsoListParagraph>
rdjwx7gtr5f/ZQvcnQM7FMzM8f18iBm51SclpipYeNMF<o:p></o:p></p>
<p class=MsoListParagraph>
FRaYAp+mdqnHeO+B63q/E3+cBiKrmdVUyvJwuS8MzXuA<o:p></o:p></p>
<p class=MsoListParagraph>
ZyVkPMr4U1EUJpONYD5nVmlc/RzexcGc9fj/PAzB4zbB<o:p></o:p></p>
<p class=MsoListParagraph>
rwb7QRfJHzrWC/C+DMx14MqRdkGWPGYRU4YB4jt5Mq/8<o:p></o:p></p>
<p class=MsoListParagraph>
LARkB3Q7Xn92//U8Zb8=<o:p></o:p></p>
<p class=MsoListParagraph>
) ; key id = 5554<o:p></o:p></p>
<p class=MsoListParagraph>example.com.
86400 IN NS ns.example.com.<o:p></o:p></p>
<p class=MsoListParagraph>example.com.
86400 IN SOA ns.example.com. hostmaster.example.com. (<o:p></o:p></p>
<p class=MsoListParagraph>
2013122405 ; serial<o:p></o:p></p>
<p class=MsoListParagraph>
86400 ; refresh (1 day)<o:p></o:p></p>
<p class=MsoListParagraph>
7200 ; retry (2 hours)<o:p></o:p></p>
<p class=MsoListParagraph>
604800 ; expire (1 week)<o:p></o:p></p>
<p class=MsoListParagraph>
86400 ; minimum (1 day)<o:p></o:p></p>
<p class=MsoListParagraph>
)<o:p></o:p></p>
<p class=MsoListParagraph><o:p> </o:p></p>
<p class=MsoListParagraph>;; ADDITIONAL SECTION:<o:p></o:p></p>
<p class=MsoListParagraph>ns.example.com.
86400 IN A 10.10.10.203<o:p></o:p></p>
<p class=MsoListParagraph>ns.example.com.
86400 IN RRSIG A 5 3 86400 20140928075513 (<o:p></o:p></p>
<p class=MsoListParagraph>
20140829070015 23412 example.com.<o:p></o:p></p>
<p class=MsoListParagraph>
PcBkNi7e4qjCcUcug/bYBCjTG8HzEqOoY8rTUpRSDGbu<o:p></o:p></p>
<p class=MsoListParagraph>
gA1MKJFGKzsPtFqFhvYlfqsymGxmEkUfOP6obvUudsKS<o:p></o:p></p>
<p class=MsoListParagraph>
jcuEP9Xp+OeeWqm+pTrVXOk8tPV/yhtdMJdgRj+PGwkj<o:p></o:p></p>
<p class=MsoListParagraph>
h/MbmJnKGXI/lT5odagacnFUidI5c1QFs+4DvLs= )<o:p></o:p></p>
<p class=MsoListParagraph><o:p> </o:p></p>
<p class=MsoListParagraph>;; Query time: 1 msec<o:p></o:p></p>
<p class=MsoListParagraph>;; SERVER: 10.10.10.203#53(10.10.10.203)<o:p></o:p></p>
<p class=MsoListParagraph>;; WHEN: Sun Aug 31 15:04:38 2014<o:p></o:p></p>
<p class=MsoListParagraph>;; MSG SIZE rcvd: 1974<o:p></o:p></p>
<p class=MsoListParagraph><o:p> </o:p></p>
<p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo1'><![if !supportLists]><span
style='mso-list:Ignore'>5.<span style='font:7.0pt "Times New Roman"'>
</span></span><![endif]>Can anybody explain me what wrong with it? How to fix
this error?<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Thank you<o:p></o:p></p>
<p class=MsoNormal>Jittinan<o:p></o:p></p>
</div>
</body>
</html>