Have you tried more sane times? Those don't look like sensible times even for a test, which is probably why BIND isn't signing. I think you are below the sensitivity level for BIND to sign automatically.
If you want to test, try using hours or days as values. When initially testing I used lifetimes of a week, then increased to 1 month for ZSKs and 3 months for KSKs. That allowed me to test things quickly, but without compromising the validity of the test. On 17/01/11 2:47 PM, "Zbigniew Jasiński" <szo...@nask.pl> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Hi all, > > I have my test zone example configured with option auto-dnssec maintain; > > zone "example" { > type master; > file "var/zone/example"; > allow-update { loopback; }; > allow-transfer { trusted; loopback; }; > auto-dnssec maintain; > key-directory "var/keys/example"; > }; > > in server conf there's also 'dnssec-enable yes' > > and I've configured keys (KSK/ZSK) with timing options (same for both keys): > > ; Created: 20110114150841 (Fri Jan 14 16:08:41 2011) > ; Publish: 20110114151339 (Fri Jan 14 16:13:39 2011) > ; Activate: 20110114151839 (Fri Jan 14 16:18:39 2011) > ; Inactive: 20110114152339 (Fri Jan 14 16:23:39 2011) > ; Delete: 20110114152839 (Fri Jan 14 16:28:39 2011) > > I started bind, send update for my example zone with NSEC3PARAM: > > Jan 14 16:08:40 named[25297]: general: zone example/IN: > dns_zone_addnsec3chain(hash=1, iterations=12, salt=28EA1FFF42617C9D59B1) > Jan 14 16:08:40 named[25297]: general: zone example/IN: > zone_addnsec3chain(1,CREATE,12,28EA1FFF42617C9D59B1) > > send the rndc sign command: > > Jan 14 16:08:41 named[25297]: general: received control channel command > 'sign example' > Jan 14 16:08:41 named[25297]: general: zone example/IN: reconfiguring > zone keys > Jan 14 16:08:42 named[25297]: general: zone example/IN: > zone_addnsec3chain(1,REMOVE|NONSEC,12,28EA1FFF42617C9D59B1) > Jan 14 16:08:42 named[25297]: general: zone example/IN: next key event: > 14-Jan-2011 16:13:39.200 > > next key event is scheduled for 16:13:39.200 which is correct, and this > is the key Publish event: > > Jan 14 16:13:39 named[25297]: general: zone example/IN: reconfiguring > zone keys > Jan 14 16:13:39 named[25297]: general: zone example/IN: next key event: > 14-Jan-2011 16:23:39.234 > > but what with the Activate event??? in log I just see Publish, Inactive > and Delete events but without Activate event. zone is just no signed by > named. > > If I use default settings when generating keys (Created, Publish, > Activate = NOW), change 'auto-dnssec maintain' to 'auto-dnssec allow' > and send 'rndc sign example' zone is signed without problems. > > what's going on? > > - -- > regards > > zbigniew jasinski > [SYStem OPerator] > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQIcBAEBAgAGBQJNNEh0AAoJEH26UYiRhe/g2WoP/i4Ecn5Jq78GFFlJGpde6fyd > vXN3pwFpWUvDSZqYQfLYMHg4PaI5RNDU2NLfnM0gnMZ83cXz0kw0h9bBj8O/EmXX > 44+7/wheBnpOijlKItt2IjnBzFKV6uTu6nj5RtpbvTAMTEny0Hy4q41Y8zB8Mt4P > h0VuTi91q2WmSisa2bYnIKrQzQFR6W+nbPRFpxHyzj3SX2hdoqSBQkbNhmC+nCJR > nJQQa4u9JKcCtDkQeoRUiUVHNECuZSXMwCukXEagweEadP6EIPhC+TCyUTXKiR7s > 9jQ/1svVmsKNqqFLgMf2w2x8oKXeAP/PvRzlyZlBwzHHgHBetgPsd1oKcHB9rElM > /rVNk8nzIadrp0TF7WEy4Ld4GdbwVGbiv0p+vDounPmm4KntwcxyFxpu+PZRs/tp > zt/z4KYrR+Z+1pNl6ojfg5mD7UTPEmMj9gFHhVuwdrcHP5EH/SkxofDFAB8C0IyX > LJ3jbKITqmLHhVCDWVLxwXws4/QUOTF/rU48zk1XxaEP80tmKO9PfgCYr4QPz3v4 > UDPMvZyI5r0yqk+V5gxXMjWcbMh9K/lq00Nj4/dXCP9iIlvd0MkKdnfTHuMK5BNN > OGTrQlVVyGG6+iKU1XXAp0BahVjQnGk46EsKcqUXOjc/4bm/myvfG3WyLFm8okYD > 412Ik3YKP3YpZvxqc9X6 > =+ZO3 > -----END PGP SIGNATURE----- > > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Kal Feher _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users