<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 10pt; font-family: Verdana,Geneva,sans-serif'>
<p>Hi Mark!!</p>
<p><br /></p>
<p>Thank you so much for your answer!! and your time!!.</p>
<p><br /></p>
<p>I have a couple of questions. I ask them between your lines and in blue for instance... for emphasizing and being easier to see what I'm referring to. I'm talking about ZSK keys in the questions I am asking in blue.</p>
<div> </div>
<p><br /></p>
<p>El 2022-01-25 00:36, Mark Andrews escribió:</p>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0"><!-- html ignored --><!-- head ignored --><!-- meta ignored -->
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"><br /> How 'named' manages DNSSEC is very different to how 'dnssec-signzone' manages DNSSEC. When you tell named to<br /> inactivate a DNSKEY it stops re-signing the zone with it and it stops signing new records added to the zone<br /> with it. </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"><strong><span style="color: #0000ff;">The fact is, I don't tell named nothing really. It maintains the zone signatures (I'm using inline-signing yes; auto-dnssec maintain; per zone). I just provide it keys and then I wait, until the ZSK key's delete time arrives, then I remove it's files (.key and .private). I don't wait until the inactive time. I wait until the delete time (not the inactive time). After the delete time of the key, can still records (rrsigs) exist signed with that key then?.</span></strong></div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace">It DOES NOT immediately replace all RRSIGs generated using that key. Those records will be replaced<br /> over the sig-validity-interval as they fall due for re-signing. Once all those RRSIG records have been<br /> replaced and they have expired from caches, you can then delete the DNSKEY record.<br /> <br /> With the default sig-validity-interval (30) that takes up to 22.5 days to which you have to add the record TTL.</div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"><strong><span style="color: #0000ff;">Ok, but does sig-validity-interval affect too, after the key deletion date?. Or does it affect only from the inactivation date to the deletion date of a key?.</span></strong><br /> <br /> Mark</div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"><strong><span style="color: #0000ff;">Best regards</span></strong><br /> <br />
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">On 25 Jan 2022, at 05:21, egoitz--- via bind-users <<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>> wrote:<br /> <br /> Hi!!<br /> <br /> <br /> <br /> Thanks a lot for your answer!!<br /> <br /> <br /> <br /> I tried before the fact of renaming back and rndc sign... but does not work.... just has removed the error from the log....<br /> <br /> <br /> <br /> I have changed my key managing code, for not renaming to "-OLD" the ZSK (.key and .private) until have passed at least 2 days from the deletion time... Let's see if this way works better....<br /> <br /> <br /> <br /> <br /> Any more ideas mates?.<br /> <br /> <br /> <br /> Thank you so much for your time :)<br /> <br /> <br /> <br /> Best regards,<br /> <br /> El 2022-01-24 17:51, Tony Finch escribió:<br /> <br />
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">ATENCION<br /> ATENCION<br /> ATENCION!!! Este correo se ha enviado desde fuera de la organizacion. No pinche en los enlaces ni abra los adjuntos a no ser que reconozca el remitente y sepa que el contenido es seguro.<br /> <br /> egoitz--- via bind-users <<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>> wrote:
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0"><br /> These are the contents of a cat of the private file I have renamed to<br /> samename.private-OLD :<br /> <br /> Created: 20211031230338<br /> Publish: 20211110220241<br /> Activate: 20211110220341<br /> Inactive: 20211215230338<br /> Delete: 20211217230338</blockquote>
<br /> Yes, it can be confusing when the state of the key files doesn't match the<br /> state of the zone.<br /> <br /> I think you said you have renamed all your key files back to their usual<br /> non-OLD names. Good; that is necessary if named is still looking for a key<br /> file even if it shouldn't need it any more.<br /> <br /> Then, try running `rndc sign <zone>`, to make named reload the keys. I<br /> think that should also get it to make whatever updates might be necessary.<br /> <br /> Then look at the logs to see if there are errors, and look at the DNSKEY<br /> RRset (with its RRSIGs) to make sure it matches what you expect.<br /> <br /> If that doesn't get things straightened out then, um, dunno :-)<br /> <br /> I guess it is possible to get into a muddle if you try to move a key out<br /> of the way very soon after its delete time. By default, named does key<br /> maintenance infrequently, so I guess if you move the key after its<br /> deletion time but before the next key maintenance cycle, things will get<br /> out of sync. But I have not checked whether my guess is right or not.<br /> <br /> Tony.</blockquote>
_______________________________________________<br /> Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank" rel="noopener noreferrer">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br /> <br /> ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" target="_blank" rel="noopener noreferrer">https://www.isc.org/contact/</a> for more information.<br /> <br /> <br /> bind-users mailing list<br /> <a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br /> <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank" rel="noopener noreferrer">https://lists.isc.org/mailman/listinfo/bind-users</a></blockquote>
</div>
</blockquote>
</body></html>