On Oct 8, 2013, at 6:42 PM, David Newman <dnew...@networktest.com> wrote:
> bind 9.9.4 > > How to troubleshoot issues when keys are supposed to be invalidated or > deleted on specific dates, but aren't? > > In this case, a KSK was supposed to be inactivated on 29 September 2013 > and deleted on 9 October 2013. > > From the .key file: > > ; This is a key-signing key, keyid 56989, for networktest.com. > ; Created: 20130723214837 (Tue Jul 23 14:48:37 2013) > ; Publish: 20130723214837 (Tue Jul 23 14:48:37 2013) > ; Activate: 20130723214837 (Tue Jul 23 14:48:37 2013) > ; Inactive: 20130929201510 (Sun Sep 29 13:15:10 2013) > ; Delete: 20131009201510 (Wed Oct 9 13:15:10 2013) > > Problem is, dig says the key is still active, and will be until 29 > October 2013: > > $ dig networktest.com @localhost +multi rrsig | grep 56989 > > 20131029191450 20130929181450 56989 networktest.com. You don't provide all of the record. It's an RRSIG that is still within it's lifetime. Do a dig for "DNSKEY" retype at the zone name and see what you get back. AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
