I little while back I started to write a simple script to automate rollover.
Before I go much further I think I should find out if I am duplicating
something that has already been done, or is in the works?
Is there anything know, or even rumored?
--
John Allen
KLaM
---
I wrote myself a small bash script to handle ZSK rollover, it might
handle KSK but I have tried it.
All it does is to setup for a DNSSEC-keygen. My idea is to automatically
pick a ZSK and use it as the base for the next key set, as per the -S
param in DNSSEC-keygen.
The only real additions are t
A couple of weeks ago I found a DNSSEC key rollover problem with bind 9.9.0b2.
See https://lists.isc.org/pipermail/bind-users/2011-December/086063.html. This
appears to have persisted after upgrading to bind 9.9.0rc1 this afternoon.
See http://dnsviz.net/d/jaspain.net/dnssec/. The RRSIGs on the
On 12/28/2011 10:42 PM, Spain, Dr. Jeffry A. wrote:
>
> First of all is it correct that the time stamps shown by dig for RRSIG
> records are in local time? Otherwise, if the time stamps show UTC, then
> the RRSIG for jaspain.net SOA for ZSK 42152 was generated at
> 2011121023, one hour prior t
This issue relates to the server nstest.jaspain.net (74.203.156.157), which is
running bind 9.9.0b2. Please refer to http://dnsviz.net/d/jaspain.net/dnssec/.
The RRSIGs on the jaspain.net , A, and TXT RRSets signed by ZSK 35297
expired on 12/17/2011, and those RRSets have not been resigned w
In message <7610864823c0d04d89342623a3adc9de1b022...@hopple.countryday.net>, "Sp
ain, Dr. Jeffry A." writes:
> > And now, as July 1 has passed and July 9 approaches, can you share a
> > summary of what you found? Thanks.
> > --
> > Offlist mail to this address is discarded unless
> > "/d
> And now, as July 1 has passed and July 9 approaches, can you share a
> summary of what you found? Thanks.
> --
> Offlist mail to this address is discarded unless
> "/dev/rob0" or "not-spam" is in Subject: header
On June 10, our zone countryday.net running on a bind 9.8.0 server began a
On Fri, Jun 17, 2011 at 08:54:15PM +, Spain, Dr. Jeffry A. wrote:
> Tony Finch:
> > What does `rndc sign ` do?
>
> Thanks, Tony. I have never run rndc sign, as the zone is configured
> with auto-dnssec maintain. Before intervening in this manner, I
> would like to gain a greater understandin
On 06/18/2011 03:48 PM, Spain, Dr. Jeffry A. wrote:
Assume that bind 9.8.0 is in operation. A zone is configured with
auto-dnssec maintain, and the zone signing keys K and its successor K’
are published. Further assume that the activation time for K has passed
and the zone is properly signed with
Assume that bind 9.8.0 is in operation. A zone is configured with auto-dnssec
maintain, and the zone signing keys K and its successor K' are published.
Further assume that the activation time for K has passed and the zone is
properly signed with K. Now suppose that the activation time for K' arr
The only thing I would change is making the deletion happen
sig-validity-interval after the inactivation of the key. The idea
is to have a gradual replacement of signatures as they normally
fall due for re-signing.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHO
Thanks, Phil. The document I used to set up the rotation schedules is "Good
Practices Guide for Deploying DNSSEC" at
http://www.enisa.europa.eu/act/res/technologies/tech/gpgdnssec. It recommends a
two-week interval between ZSK inactivation and deletion. I will carefully study
the IETF draft bel
On 06/17/2011 09:35 PM, Phil Mayers wrote:
In which case you're going to have a serious problems I think. You can't
delete a DNSKEY which has any extant RRSIGs until $MAX_TTL *after* those
RRSIGs finally disappear.
There's an RFC describing the key rotation schedules you must use in a
lot of de
> What does `rndc sign ` do?
Thanks, Tony. I have never run rndc sign, as the zone is configured with
auto-dnssec maintain. Before intervening in this manner, I would like to gain a
greater understanding of what is going on. Thanks. Jeff.
___
Please vi
Thanks, Phil.
> How big is the zone, and how did you sign it originally? If you used "rndc
> sign", then there will be little jitter in the RRSIG so they'll all tend to
> roll over together.
>For most of our zones, I signed them manually using dnssec-signzone and tuning
>the jitter for a consta
On 06/17/2011 09:25 PM, Spain, Dr. Jeffry A. wrote:
Our zone has 115 records, not counting DNSSEC-related records. I
originally signed it by specifying the zone file and key directory
along with "auto-dnssec maintain" in the configuration file. Looking
at all the RRSIGs, they expire for the most
On 17/06/11 15:13, Spain, Dr. Jeffry A. wrote:
As of today (6/17/2011), RRSIG records for key 2750 are present for
every RRset in the zone. The only RRSIG record for key 33722 is for the
SOA RRset. See http://dnsviz.net/d/countryday.net/dnssec/. As I
understand the process, based on the dates in
Spain, Dr. Jeffry A. wrote:
>
> I'm sure I could solve this by removing all of the DNSSEC data and
> resigning the zone, but would prefer not to do this except as a last
> resort. If anyone has troubleshooting suggestions or other insights, I
> would be grateful for those. Thanks.
What does `rndc
For our zone countryday.net, which is configured with "auto-dnssec maintain"
and is running on bind 9.8.0, a ZSK rollover is in progress but seems to be
failing.
The metadata for the original key is:
; This is a zone-signing key, keyid 2750, for countryday.net.
; Created: 20110402153620 (Sat Ap
19 matches
Mail list logo
