<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Nur Text Zchn";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Arial",sans-serif;
mso-fareast-language:EN-US;}
span.NurTextZchn
{mso-style-name:"Nur Text Zchn";
mso-style-priority:99;
mso-style-link:"Nur Text";
font-family:"Arial",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=DE-CH link=blue vlink=purple><div class=WordSection1><p class=MsoPlainText><span lang=EN-GB style='mso-fareast-language:DE-CH'>Hello Mark and bind users<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='mso-fareast-language:DE-CH'><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='mso-fareast-language:DE-CH'>Thank you for the explanations. Some things are still not clear to me...<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='mso-fareast-language:DE-CH'><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='mso-fareast-language:DE-CH'>> -----Original Message-----<br>> From: Mark Andrews <marka@isc.org> <br>> Sent: Monday, March 11, 2019 8:53 AM<br>> To: Philippe Maechler <pmaechler-ml@glattnet.ch><br>> Cc: bind-users@lists.isc.org<br>> Subject: Re: named cpu usage pretty high because of dns_dnssec_findzonekeys2 -> file not found</span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB>><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-GB>> Because you removed the key from disk before it was removed from the zone. </span>Presumably named<o:p></o:p></p><p class=MsoPlainText><span lang=EN-GB>> was logging other error messages before you removed the key from disk or the machine was off<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB>> for a period or you mismanaged the key roll and named keep the key alive.<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB>><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='color:black'><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='color:black'>Possible, the machine was running all the time (uptime is ~92 days). I would have to search in old logs to be sure. Since this domain is for testing purposes, its not important. The "bad thing" is the cpu usage which is quite high.<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='color:black'>Is this something that will be addressed in further bind releases? E.g. dns_dnssec_findzonekeys2 only search at a given interval for new keys or only logs this message once in a minute/hour?<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='color:black'><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-GB>> Named’s re-signing strategy is different to when you are signing the whole zone at once as<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB>> you are signing it incrementally. </span>You should be allowing most of the sig-validity interval<o:p></o:p></p><p class=MsoPlainText><span lang=EN-GB>> before you delete the DNSKEY after you inactive it. <o:p></o:p></span></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><span lang=EN-GB>What exactly ist he sig-validy time? From my understanding this is the period from "Activate" to "Inactive"<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'># dnssec-settime -pall Kglattweb.ch.+013+06605<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>Created: Mon Mar 11 10:03:49 2019<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>Publish: Mon Mar 11 11:06:44 2019<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>Activate: Tue Mar 19 10:02:19 2019<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>Revoke: UNSET<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>Inactive: Thu Mar 21 10:06:44 2019<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>Delete: Sun Mar 31 11:05:48 2019<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>SYNC Publish: Mon Mar 11 11:06:44 2019<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>SYNC Delete: Sun Mar 31 11:06:44 2019<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-GB>In this case the sig-validity time is ~2d 4m<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB>The key has a delete Date of 2019-03-31 and I can delete (or move) the key at 2019-04-02 or to be safe 2019-04-03?<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-GB>> One should check that there are no RRSIGs<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB>> still present in the zone before deleting the DNSKEY from the zone. </span>Inactivating it stops the<o:p></o:p></p><p class=MsoPlainText><span lang=EN-GB>> DNSKEY being used to generate new signatures but it needs to stay around until all those RRSIGs<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB>> have expired from caches which only happens after new replacement signatures have been generated.<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='color:black'>When are these replacement RRSIGs created? The key reached it's delete date, the new key is in place and new RRSIGs are created. <o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='color:black'><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-GB>> If you still have the .private file around reinstate it. </span>If not you will need to import the<o:p></o:p></p><p class=MsoPlainText><span lang=EN-GB>> DNSKEY using dnssec-importkey and manage its removal properly.<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-GB>Can you help me here?<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'># dnssec-importkey -v 99 -f /usr/local/etc/namedb/master/glattweb.ch.db<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>dnssec-importkey: error: dns_master_load: /usr/local/etc/namedb/master/glattweb.ch.db:15: glattweb.ch: not at top of zone<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>dnssec-importkey: fatal: can't load /usr/local/etc/namedb/master/glattweb.ch.db: not at top of zone<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-GB>ok... yes makes sense, glattweb.ch is not at the top of zone<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'># head /usr/local/etc/namedb/master/glattweb.ch.db<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>$TTL 300<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>$ORIGIN glattweb.ch.<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>@ 300 IN SOA dns1.glattnet.ch. hostmaster.glattnet. (<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'> 2019020400 ; serial<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'> 600 ; refresh<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'> 300 ; retry<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'> 3600 ; expire<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'> 90 ; nttl<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'> )<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-GB>I don't think that I should use the .signed file... let’s test that anyway<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'># dnssec-importkey -v 99 -f /usr/local/etc/namedb/master/glattweb.ch.db.signed<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>dnssec-importkey: error: dns_master_load: /usr/local/etc/namedb/master/glattweb.ch.db.signed:1: syntax error<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>dnssec-importkey: fatal: can't load /usr/local/etc/namedb/master/glattweb.ch.db.signed: syntax error<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-GB>Maybe I have to change the zone format from raw to text...<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'># named-compilezone -j -fraw -F text -o tmp glattweb.ch /usr/local/etc/namedb/master/glattweb.ch.db.signed<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>zone glattweb.ch/IN: loaded serial 2019022800 (DNSSEC signed)<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>dump zone to tmp...done<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>OK<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'># less tmp <o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>glattweb.ch. 300 IN SOA dns1.glattnet.ch. hostmaster.glattnet. 2019022800 600 300 3600 90<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>glattweb.ch. 300 IN RRSIG SOA 13 2 300 20190330214039 20190228204039 12809 glattweb.ch. WDhpay5Iwi3DumsZ3UQiwdfkkIY44t8ez8dRW6/xv3sXFOJrwYQTyxwx eO2iiRBZwwOI6oyT/0eNDJiF+FSIlg==<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:"Courier New"'>; resign=20190330214039<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:"Courier New"'>glattweb.ch. 300 IN NS dns1.glattnet.ch.<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:"Courier New"'>glattweb.ch. 300 IN NS dns2.glattnet.ch.<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:"Courier New"'>glattweb.ch. 300 IN RRSIG NS 13 2 300 20190318002703 20190215232756 12809 glattweb.ch. AJ3ez1YZEK6YzRlByyLJf3scpljMgZYjIRH55pG6oPhc7AP0qgo4dBqH MDvaVubxEWyulruRcOiD8jpym6gp2w==<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:"Courier New"'>; resign=20190318002703<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:"Courier New"'>glattweb.ch. 90 IN NSEC www.glattweb.ch. NS SOA RRSIG NSEC DNSKEY CDS CDNSKEY<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:"Courier New"'>glattweb.ch. 90 IN RRSIG NSEC 13 2 90 20190330212621 20190228204039 12809 glattweb.ch. 7Z93XycEUNrzZ64LxmQuBwSzps6nMxjVMrtUFR0Kse29RQF/3eIIjTGx ZoTpDSOjjsrEhsBEyGSKvrGLS6bLXA==<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:"Courier New"'>; resign=20190330212621<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:"Courier New"'>glattweb.ch. 300 IN DNSKEY 256 3 13 WqIsxqVPQxDwLqB/rv7u2sSx0R4ZgdHM6NexcDs3Z551rHar015v+jB6 HdnZQ/gMscxz6XzFwEc3+xAzsMx3QA==<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:"Courier New"'>glattweb.ch. 300 IN DNSKEY 256 3 13 Y/m7vFPwhqc59OlfyJLnT66TNsHYMq4JvXN0hBChCD1UpanF/o18bLHh VVMMTK0iB4EeuIdbn1aWvdVeFmSgmg==<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:"Courier New"'>glattweb.ch. 300 IN RRSIG DNSKEY 13 2 300 20190328131200 20190226121200 12809 glattweb.ch. gbDTbnIz+NtSg4dws88wWxv67gXdz4Qw/PL54CixibylGptcufep5W49 2RkNz3iy79u1Kqvl4FUdEQhdZnLBJw==<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:"Courier New"'>glattweb.ch. 300 IN RRSIG DNSKEY 13 2 300 20190328131200 20190226121200 33518 glattweb.ch. eNk21CrH5BWkAp0uHk0N3gV2FCfsYUBO0bgRv4Vsqt2P9pz63sGKB/J0 9zWLNb4Lf7GF6tIUZjyXq3vERmL+KA==<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:"Courier New"'>; resign=20190328131200<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:"Courier New"'>glattweb.ch. 300 IN CDS 12809 13 1 C621D4A4904C012CBB35EB77E59F4C0CA3C81E87<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>glattweb.ch. 300 IN CDS 12809 13 2 75CDE511593A4D6D65D7FAC1C52EC304F9CB86D9AE53D550F2764A22 606FB96D<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>glattweb.ch. 300 IN CDS 33518 13 1 05977C7AC6320E25A3403366B69A1893DF023F63<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>glattweb.ch. 300 IN CDS 33518 13 2 39803C6F03171D50BA428C3BE5E4A3AB01CECF8564DAC18EBBFA2ED5 201B62C7<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>glattweb.ch. 300 IN RRSIG CDS 13 2 300 20190328131200 20190226121200 12809 glattweb.ch. h3rdycn57p0K2bi3IYPUyjf8NIYedWRO2OSpxrdGxiwqlH1tF9TaD9Rd n6YLP7cZtMZWOFBreHeNYGPKlqulEQ==<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>glattweb.ch. 300 IN RRSIG CDS 13 2 300 20190328131200 20190226121200 33518 glattweb.ch. 9Yy4QmylesxZrszDHwp1NkLps2XKWQYyQHfxNQ0rOsxxiujVEfcRY6Fl Xup1K9yZQdOxl5+GkyuHKic8HLXttA==<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>; resign=20190328131200<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>glattweb.ch. 300 IN CDNSKEY 256 3 13 WqIsxqVPQxDwLqB/rv7u2sSx0R4ZgdHM6NexcDs3Z551rHar015v+jB6 HdnZQ/gMscxz6XzFwEc3+xAzsMx3QA==<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>glattweb.ch. 300 IN CDNSKEY 256 3 13 Y/m7vFPwhqc59OlfyJLnT66TNsHYMq4JvXN0hBChCD1UpanF/o18bLHh VVMMTK0iB4EeuIdbn1aWvdVeFmSgmg==<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>glattweb.ch. 300 IN RRSIG CDNSKEY 13 2 300 20190328131200 20190226121200 12809 glattweb.ch. l2FmSIdTBYCytoqZu8oiOx9tZ26MVIdaYXsF8uLAThJ5C1iXRuADwwde tCwN7zQsiK9+VF/qLGKUSInOFosgxw==<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>glattweb.ch. 300 IN RRSIG CDNSKEY 13 2 300 20190328131200 20190226121200 33518 glattweb.ch. gresGcjFA258p6374Ke/+qHr2WNFMPccQZnZgc4p074hqlF01lZUKx7w 388ph5i+fUzcsbT6Pf+trdkovuw7/A==<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>; resign=20190328131200<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>www.glattweb.ch. 300 IN CNAME gnweb.glattnet.ch.<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>www.glattweb.ch. 300 IN RRSIG CNAME 13 3 300 20190318002703 20190215232756 12809 glattweb.ch. 5gBSM7WaCIf2t/CFcaZ4p17xL6TpQw6zH+KpJphG3vxikRDgBNWVVjX7 ObDN6D7I4FhfaWEdRl3TcN4fJJQ++w==<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:"Courier New"'>; resign=20190318002703<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:"Courier New"'>www.glattweb.ch. 90 IN NSEC glattweb.ch. CNAME RRSIG NSEC<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:"Courier New"'>www.glattweb.ch. 90 IN RRSIG NSEC 13 3 90 20190328204045 20190226195831 12809 glattweb.ch. u+gIh06+Q3N1qwKIqieYI+2118ZoWvbI0vgCM27zU0lGDLdFLMeBUMuh Qh1BSYBsj/JDNH/jTsJFav5GZK44ng==<o:p></o:p></span></p><p class=MsoPlainText><span style='font-family:"Courier New"'>; resign=20190328204045<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>#<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'># dnssec-importkey -v 99 -f tmp <o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>dnssec-importkey: error: dns_master_load: tmp:26: glattweb.ch: not at top of zone<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB style='font-family:"Courier New"'>dnssec-importkey: fatal: can't load tmp: not at top of zone<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-GB>Since I get the same error message that I got when using the dnssec-importkey in the unsigned file, I guess I do something fundamentally wrong :/<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-GB><o:p> </o:p></span></p><p class=MsoPlainText><span lang=EN-GB>tia<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB>Philippe<o:p></o:p></span></p><p class=MsoPlainText><span lang=EN-GB><o:p> </o:p></span></p></div></body></html>