In message <525590bd.8030...@networktest.com>, David Newman writes:
>
>
> On 10/8/13 5:54 PM, Mark Andrews wrote:
> > In message <52548a5d.3070...@networktest.com>, David Newman writes:
> >> bind 9.9.4
> >>
> >> How to troubleshoot issues when keys are supposed to be invalidated or
> >> deleted on specific dates, but aren't?
> >>
> >> In this case, a KSK was supposed to be inactivated on 29 September 2013
> >> and deleted on 9 October 2013.
> >>
> >> >From the .key file:
> >>
> >> ; This is a key-signing key, keyid 56989, for networktest.com.
> >> ; Created: 20130723214837 (Tue Jul 23 14:48:37 2013)
> >> ; Publish: 20130723214837 (Tue Jul 23 14:48:37 2013)
> >> ; Activate: 20130723214837 (Tue Jul 23 14:48:37 2013)
> >> ; Inactive: 20130929201510 (Sun Sep 29 13:15:10 2013)
> >> ; Delete: 20131009201510 (Wed Oct 9 13:15:10 2013)
> >>
> >> Problem is, dig says the key is still active, and will be until 29
> >> October 2013:
> >
> > Named stopped SIGNING with this record on October 29.
>
> Since this is in the future, I think you mean "will stop signing"?
Actually it was September 29 so it has now passed.
> > Inception (20130929181450) is over a hour (clock skew allowance)
> > before the Inactivation (20130929201510) time.
>
> OK, do I understand correctly that because the RRSIG got created just
> before the inactivate date, it will live on for sig-validity-interval
> (30 days in this case), regardless of the key's deletion date?
Yes.
> > The RRSIG will be replaced when the record is due to be re-signed
> > which is based on the sig-validity-interval.
> >
> > I would be extending the deletion date to 30 days (sig-validity-interval)
> > after the inactivation date.
>
> Right, understood.
>
> In UTC terms, we've already passed the key's deletion date. Can I
> retroactively extend the key's deletion date?
Yes. The files are not removed. You will need to tell named to re-read
the .private file using "rndc signzone" after setting the time the deletion
time.
> Thanks
>
> dn
>
> >
> > Mark
> >
> >> $ dig networktest.com @localhost +multi rrsig | grep 56989
> >>
> >> 20131029191450 20130929181450 56989 networktest.com.
> >>
> >> named.conf has this:
> >>
> >> options {
> >> ..
> >> // DNSSEC stuff
> >> managed-keys-directory "managed-keys";
> >> dnssec-enable yes;
> >> dnssec-validation auto;
> >> }
> >>
> >> ..
> >>
> >> zone "networktest.com" {
> >> type master;
> >> ..
> >> key-directory "managed-keys/networktest.com";
> >> inline-signing yes;
> >> auto-dnssec maintain;
> >> };
> >>
> >> $ ls -l managed-keys/networktest.com/ | grep 56989
> >> -rw-r----- 1 bind bind 719 Jul 31 13:15 Knetworktest.com.+008+56989.ke
> y
> >> -rw------- 1 bind bind 1824 Jul 31 13:15
> >> Knetworktest.com.+008+56989.private
> >>
> >> I don't understand the disconnect between the configured inactive/delete
> >> times and the ones returned by dig, and presume this is because I've
> >> misconfigured something.
> >>
> >> Thanks in advance for troubleshooting clues.
> >>
> >> dn
> >>
> >> _______________________________________________
> >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscr
> ibe
> >> from this list
> >>
> >> bind-users mailing list
> >> bind-users@lists.isc.org
> >> https://lists.isc.org/mailman/listinfo/bind-users
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
