[dns-operations] Problem with BIND 9.9.5 and automatic ZSK rollover?
Hauke Lampe
lampe at hauke-lampe.de
Tue Jun 10 12:11:39 UTC 2014
On 10.06.2014 12:01, Sebastian Wiesinger wrote:
> I tried to rollover the ZSK from keyid 38946 to keyid 50205 without
> double-signing (deactivate old key and activate the new one at the
> same time). The metadata for the keys is:
>
> ; This is a zone-signing key, keyid 38946, for karotte.org.
> ; Created: 20140519072829 (Mon May 19 09:28:29 2014)
> ; Publish: 20140519084611 (Mon May 19 10:46:11 2014)
> ; Activate: 20140526072632 (Mon May 26 09:26:32 2014)
> ; Inactive: 20140609140929 (Mon Jun 9 16:09:29 2014)
> ; Delete: 20140611140929 " 16:09:29 2014)
>
> ; This is a zone-signing key, keyid 50205, for karotte.org.
> ; Created: 20140526141128 (Mon May 26 16:11:28 2014)
> ; Publish: 20140607140929 (Sat Jun 7 16:09:29 2014)
> ; Activate: 20140609140929 (Mon Jun 9 16:09:29 2014)
>
> But looking at the zone right now I see that only the SOA is signed
> with the new key and all the other records are signed with the old
> key.
>
> I assumed BIND would change all the signatures at once. Or am I
> getting something wrong? Also I got some strange log output when the
> keys were supposed to switch:
The old key stops signing new records after the inactivation date.
Modified records are signed by the new/active keys only.
Existing signatures are kept until they need to be refreshed (configured
with sig-validity-interval) or the key is deleted.
So you'll probably see new signatures for all records tomorrow.
> Jun 9 16:09:31 alita named[12214]: validating @0x7f4d6c000fc0: dlv.isc.org DNSKEY: must be secure failure, . is under DLV (startfinddlvsep)
>
> Not sure what the dlv lookup has to do with all of that but it occured
> right after the zone was updated.
Probably while resolving the names of the slave servers from the NS
records. Do you have trust anchors and/or DLV configured?
The bind-users list might know more about that.
Hauke.
More information about the dns-operations
mailing list