Re: zsk rollover

On 2/25/20 2:22 PM, Mark Andrews wrote: > You could set "sig-validity-interval to 30 29;” if you want to see things > happen > faster. This causes the RRSIGs to have a 30 day validity interval and be > re-signed > 29 days before that expires. That sounds like a useful option, thanks! > Rememb

Re: zsk rollover

> On 26 Feb 2020, at 08:40, Alan Batie wrote: > > On 2/25/20 1:30 PM, Mark Andrews wrote: >> Firstly unset the deletion date for the old key. It is way >> too early for incremental re-signing. Named replaces RRSIG >> *as-they-fall-due* for re-signing. With the defaults that >> takes 22.5 da

Re: zsk rollover

On 2/25/20 1:30 PM, Mark Andrews wrote: > Firstly unset the deletion date for the old key. It is way > too early for incremental re-signing. Named replaces RRSIG > *as-they-fall-due* for re-signing. With the defaults that > takes 22.5 days with a sig-validity-interval of 30 days. > > All Inact

Re: zsk rollover

Feb 2020, at 07:02, Alan Batie wrote: > > BIND 9.11.4-P2-RedHat-9.11.4-9.P2.el7 > > I'm testing zsk rollover on a currently unused domain, and expected the > rollover to happen automatically Saturday, however it appears that it > only partially has: acc

zsk rollover

BIND 9.11.4-P2-RedHat-9.11.4-9.P2.el7 I'm testing zsk rollover on a currently unused domain, and expected the rollover to happen automatically Saturday, however it appears that it only partially has: according to https://dnssec-analyzer.verisignlabs.com/peakmail.com (if I read it right), th

Re: ZSK rollover detail needed.

In message <201602181942.u1ijgrkf001...@dolphin.adi.com>, Thomas Schulz writes: > A recommended way to set up a ZSK rollover is to set the inactive date of > the current key one month later than the publish date of the replacement key. > This makes sense as the RRSIG records are

ZSK rollover detail needed.

A recommended way to set up a ZSK rollover is to set the inactive date of the current key one month later than the publish date of the replacement key. This makes sense as the RRSIG records are created to last one month from their creation date. Now if I try to speed up the ZSK rollover to make

Re: DNSSEC ZSK rollover

Evan Hunt wrote: > > It is intentional; it spreads out the work of resigning over a longer > period of time to reduce the load on the server. (And a lot of people > prefer smaller IXFRs anyway.) We have tweaked sig-signing-nodes and sig-signing-signatures to make incremental signing work in large

Re: DNSSEC ZSK rollover

Thanks, that's what I wanted to know. I'll leave it like it is now. Robert Am Freitag, den 28.08.2015, 21:24 + schrieb Evan Hunt: > On Fri, Aug 28, 2015 at 07:24:23PM +0200, Robert Senger wrote: > > Is that the intended behaviour, or do I miss a point to get the zones > > resigned in one si

Re: DNSSEC ZSK rollover

On Fri, Aug 28, 2015 at 07:24:23PM +0200, Robert Senger wrote: > Is that the intended behaviour, or do I miss a point to get the zones > resigned in one single action (and transfered with one single IXFR) > rather than getting each RR resigned separately? It is intentional; it spreads out the work

DNSSEC ZSK rollover

fer { key my-transfer-key; }; }; I added the required timing information to the ZSKs (P/A/I/D), and set up a cron run script that generates the new keys for prepublication when it's time. It almost works as expected, but unlike ZSK rollover with rollerd, zones ar

Re: ZSK rollover weirdness

- Original Message - > On Fri, Sep 6, 2013 at 1:32 PM, Lawrence K. Chen, P.Eng. < > lkc...@ksu.edu > wrote: > > > So, can I just remove the Revoke line (is there an option in > > > dnssec-settime to do this?) and have things fixed... > > > > > guess dnssec-settime -A none -R none will

Re: ZSK rollover weirdness

On Fri, Sep 6, 2013 at 1:32 PM, Lawrence K. Chen, P.Eng. wrote: > > > -- > > > > So, can I just remove the Revoke line (is there an option in > dnssec-settime to do this?) and have things fixed... > > > guess dnssec-settime -A none -R none will remove itbut guessing

Re: ZSK rollover weirdness

- Original Message - > So, can I just remove the Revoke line (is there an option in > dnssec-settime to do this?) and have things fixed... guess dnssec-settime -A none -R none will remove itbut guessing there's more to fixing my current mess? -- Who: Lawrence K. Chen, P.Eng. - W0

Re: ZSK rollover weirdness

> So, can I just remove the Revoke line (is there an option in > dnssec-settime to do this?) "dnssec-settime -R none" can do that. But I gather the key has already had its REVOKE flag set in the zone, so if you want to get things back to the status quo, you probably want to purge and restore the

Re: ZSK rollover weirdness

On 06/09/13 17:28, Lawrence K. Chen, P.Eng. wrote: And, the prior ZSK was 14565 ; This is a zone-signing key, keyid 14565, for ksu.edu. ; Created: 2013060109 (Sat Jun 1 04:00:00 2013) ; Publish: 20130601090007 (Sat Jun 1 04:00:07 2013) ; Activate: 20130601090007 (Sat Jun 1 04:00:07 2013)

Re: ZSK rollover weirdness

- Original Message - > Lawrence K. Chen, P.Eng. wrote: > > > > And, the prior ZSK was 14565 > > > > ; This is a zone-signing key, keyid 14565, for ksu.edu. > > ; Created: 2013060109 (Sat Jun 1 04:00:00 2013) > > ; Publish: 20130601090007 (Sat Jun 1 04:00:07 2013) > > ; Activate: 20

Re: ZSK rollover weirdness

sec-keygen calls acquired -A and -R switches. And, the intent was for -A to be +7d, but the d got missedso that's why its 7 seconds after creation. So, can I just remove the Revoke line (is there an option in dnssec-settime to do this?) and have things fixed...or do I need

Re: ZSK rollover weirdness

On Fri, Sep 6, 2013 at 10:22 AM, Evan Hunt wrote: > The revoke bit has no defined meaning for a ZSK. While it's true the revoke bit really has no use for a true ZSK (i.e., a key where there's another key, a KSK, that is used to authenticate it), RFC 5011 doesn't distinguish based on either sign

Re: ZSK rollover weirdness

> The current ZSK is 44538 > > ; This is a zone-signing key, keyid 44538, for ksu.edu. [...] > ; Revoke: 2013120209 (Mon Dec 2 03:00:00 2013) The revoke bit has no defined meaning for a ZSK. It's used for updating trust anchors via RFC 5011. The code allows you to set it (just as it allows y

Re: ZSK rollover weirdness

On 06/09/13 17:39, Tony Finch wrote: It is the same key as 14565 but the addition of the revoke bit has changed the tag. Oops yes, not crazy flags - revoke bit. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from

Re: ZSK rollover weirdness

Lawrence K. Chen, P.Eng. wrote: > > And, the prior ZSK was 14565 > > ; This is a zone-signing key, keyid 14565, for ksu.edu. > ; Created: 2013060109 (Sat Jun 1 04:00:00 2013) > ; Publish: 20130601090007 (Sat Jun 1 04:00:07 2013) > ; Activate: 20130601090007 (Sat Jun 1 04:00:07 2013) > ; Rev

ZSK rollover weirdness

Getting resports of people with certain ISPs (like comcast) can't resolve my domains now. Did a dnsvis on my domain and the error is: RRSIG ksu.edu/A by ksu.edu/DNSKEY alg 8, key 14693:The RRSIG was made by a revoked key. Which makes no sense, because I have no key with that id in my key repos

Re: Scripts for zsk rollover in 9.7

> I'm not sure it is a good idea. BIND is already quite loaded in > features. Why not relying on dedicated free software such as > OpenDNSSEC ? AFAIK, OpenDNSSEC works fine with 9.7. (And it rocks and everyone should check it out.) But there's room for both approaches

Re: Scripts for zsk rollover in 9.7

Stephane Bortzmeyer wrote: >> We have plans to improve this in 9.7.x (where x probably equals 1) >> in a couple of ways: first, by making it possible to assign each key >> an explicit successor key and warn the user if a key is set to >> expire without a successor; second, by making it possible to

Re: Scripts for zsk rollover in 9.7

On Sat, Feb 20, 2010 at 09:15:23PM +, Evan Hunt wrote a message of 22 lines which said: > We have plans to improve this in 9.7.x (where x probably equals 1) > in a couple of ways: first, by making it possible to assign each key > an explicit successor key and warn the user if a key is set

Re: Scripts for zsk rollover in 9.7

> So before I go rolling my own perl solution to read the > metadata out of the keyfiles and do the ZSK rolls, are > there any utilities that do this in 9.7. It looks like when > a zsk expires, bind's auto-signing will just drop it from > the zone. I recommend that you not set an expiration date f

ZSK rollover with BIND 9.6 and an automatically re-signed zone

Scenario: BIND 9.6, and a signed zone all changes to which are made by DNS update operations. Re-signing with the current ZSK is being done automatically by BIND. The question is how to roll over ZSKs for such a zone with these desired features: 1. The bulk of RRsets in the zone are signed with