- Original Message -
> On Fri, Sep 6, 2013 at 1:32 PM, Lawrence K. Chen, P.Eng. <
> lkc...@ksu.edu > wrote:
> > > So, can I just remove the Revoke line (is there an option in
> > > dnssec-settime to do this?) and have things fixed...
> >
>
> > guess dnssec-settime -A none -R none will
On Fri, Sep 6, 2013 at 1:32 PM, Lawrence K. Chen, P.Eng. wrote:
>
>
> --
>
>
>
> So, can I just remove the Revoke line (is there an option in
> dnssec-settime to do this?) and have things fixed...
>
>
> guess dnssec-settime -A none -R none will remove itbut guessing
- Original Message -
> So, can I just remove the Revoke line (is there an option in
> dnssec-settime to do this?) and have things fixed...
guess dnssec-settime -A none -R none will remove itbut guessing there's
more to fixing my current mess?
--
Who: Lawrence K. Chen, P.Eng. - W0
> So, can I just remove the Revoke line (is there an option in
> dnssec-settime to do this?)
"dnssec-settime -R none" can do that. But I gather the key has already
had its REVOKE flag set in the zone, so if you want to get things back to
the status quo, you probably want to purge and restore the
On 06/09/13 17:28, Lawrence K. Chen, P.Eng. wrote:
And, the prior ZSK was 14565
; This is a zone-signing key, keyid 14565, for ksu.edu.
; Created: 2013060109 (Sat Jun 1 04:00:00 2013)
; Publish: 20130601090007 (Sat Jun 1 04:00:07 2013)
; Activate: 20130601090007 (Sat Jun 1 04:00:07 2013)
- Original Message -
> Lawrence K. Chen, P.Eng. wrote:
> >
> > And, the prior ZSK was 14565
> >
> > ; This is a zone-signing key, keyid 14565, for ksu.edu.
> > ; Created: 2013060109 (Sat Jun 1 04:00:00 2013)
> > ; Publish: 20130601090007 (Sat Jun 1 04:00:07 2013)
> > ; Activate: 20
- Original Message -
> On Fri, Sep 6, 2013 at 10:22 AM, Evan Hunt < e...@isc.org > wrote:
> > The revoke bit has no defined meaning for a ZSK.
>
> While it's true the revoke bit really has no use for a true ZSK
> (i.e., a key where there's another key, a KSK, that is used to
> authentica
On Fri, Sep 6, 2013 at 10:22 AM, Evan Hunt wrote:
> The revoke bit has no defined meaning for a ZSK.
While it's true the revoke bit really has no use for a true ZSK (i.e., a
key where there's another key, a KSK, that is used to authenticate it), RFC
5011 doesn't distinguish based on either sign
> The current ZSK is 44538
>
> ; This is a zone-signing key, keyid 44538, for ksu.edu.
[...]
> ; Revoke: 2013120209 (Mon Dec 2 03:00:00 2013)
The revoke bit has no defined meaning for a ZSK. It's used for updating
trust anchors via RFC 5011. The code allows you to set it (just as it
allows y
On 06/09/13 17:39, Tony Finch wrote:
It is the same key as 14565 but the addition of the revoke bit has changed
the tag.
Oops yes, not crazy flags - revoke bit.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from
Lawrence K. Chen, P.Eng. wrote:
>
> And, the prior ZSK was 14565
>
> ; This is a zone-signing key, keyid 14565, for ksu.edu.
> ; Created: 2013060109 (Sat Jun 1 04:00:00 2013)
> ; Publish: 20130601090007 (Sat Jun 1 04:00:07 2013)
> ; Activate: 20130601090007 (Sat Jun 1 04:00:07 2013)
> ; Rev
Getting resports of people with certain ISPs (like comcast) can't resolve my
domains now.
Did a dnsvis on my domain and the error is:
RRSIG ksu.edu/A by ksu.edu/DNSKEY alg 8, key 14693:The RRSIG was made by a
revoked key.
Which makes no sense, because I have no key with that id in my key repos
12 matches
Mail list logo
