Try without +short ;) I also have the habit of using that and can get caught out. Remember that +short only includes the answer, which is not the RRSIG you are hoping to see.
On 19/01/11 12:49 PM, "Zbigniew Jasiński" <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > W dniu 2011-01-17 15:39, Kalman Feher pisze: >> Have you tried more sane times? >> >> Those don't look like sensible times even for a test, which is probably why >> BIND isn't signing. I think you are below the sensitivity level for BIND to >> sign automatically. >> >> If you want to test, try using hours or days as values. When initially >> testing I used lifetimes of a week, then increased to 1 month for ZSKs and 3 >> months for KSKs. That allowed me to test things quickly, but without >> compromising the validity of the test. >> > > maybe it was little to short for keys, but ok, new keys with new timings: > > ; Created: 20110119091030 (Wed Jan 19 10:10:30 2011) > ; Publish: 20110119091124 (Wed Jan 19 10:11:24 2011) > ; Activate: 20110119091224 (Wed Jan 19 10:12:24 2011) > ; Inactive: 20110218091224 (Fri Feb 18 10:12:24 2011) > ; Delete: 20110218091724 (Fri Feb 18 10:17:24 2011) > > and what I've seen in logs: > > NSEC3PARAM via dynamic update, and 'rndc sign' command: > > Jan 19 10:10:24 named[32664]: update: client 127.0.0.1#65349: updating > zone 'example/IN': adding an RR at 'example' NSEC3PARAM > Jan 19 10:10:24 named[32664]: general: zone example/IN: > dns_zone_addnsec3chain(hash=1, iterations=12, salt=1BDF09CE56C674D422EB) > Jan 19 10:10:24 named[32664]: general: zone example/IN: > zone_addnsec3chain(1,CREATE,12,1BDF09CE56C674D422EB) > Jan 19 10:10:30 named[32664]: general: received control channel command > 'sign example' > Jan 19 10:10:30 named[32664]: general: zone example/IN: reconfiguring > zone keys > Jan 19 10:10:30 named[32664]: general: zone example/IN: > zone_addnsec3chain(1,REMOVE|NONSEC,12,1BDF09CE56C674D422EB) > Jan 19 10:10:30 named[32664]: general: zone example/IN: next key event: > 19-Jan-2011 10:11:24.765 > > first key event is Publish: > > Jan 19 10:11:24 named[32664]: general: zone example/IN: reconfiguring > zone keys > Jan 19 10:11:24 named[32664]: general: zone example/IN: next key event: > 19-Jan-2011 11:11:24.807 > > second one is Activate which should occur on (Wed Jan 19 10:12:24 2011), > but in log is one hour later, why is that? > > but ok, signing zone is most important, so after Activate key event: > > Jan 19 11:11:24 named[32664]: general: zone example/IN: reconfiguring > zone keys > Jan 19 11:11:25 named[32664]: general: zone example/IN: next key event: > 18-Feb-2011 10:12:24.274 > > so now I should have a signed zone with KSK/ZSK of one month lifetime. > using dig: > > $ dig @127.0.0.1 example dnskey +dnssec +short > 257 3 10 AwEAAa7r9QSelP34TYFVWWLhDVU+RU+LI7Fr9N0Hy2xnJ/8TK8sRo+OC > <CUT> > 256 3 10 AwEAAa/sFWJDcylO33IQWnpKEve661t0S/K8+AWPy+PSq69xo27WUGRN > <CUT> > > so I have both keys in my zone, but without signatures. > > I've checked the journal file and there are updates with RRSIG records > but still named is returning answers without signatures. > > Any hint? > > - -- > regards > > zbigniew jasinski > [SYStem OPerator] > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQIcBAEBAgAGBQJNNs+3AAoJEH26UYiRhe/gfRsP/3m2zDBhKPpICiUroC+CUgpw > OKlwGRcwWZFrmea4j7J/zUdS6OPpwh8lsHCftUS17WPhr654guAF7ftf/y8m6dLb > 2aYOU1boYv4uDrlu74/bvyt1FngA8LMzNIO2lIP/x53QBqMMuPRTMsC4SpMi4VVc > G04jeVjE7R6RG1kDZspEaaRtbxtQpJobW2seKP90U99FMhwAgqyDFwYdx1zF0vAt > kcDmN+fwGOJUQO1CO8/2jX6AgpMXDGOoG75qCVHB5QzXysW47rzLuewvVB9h/2lU > WNDtmCUIZ50JtfyuOKrz8U6hdbfvRI4iJFdweckniCJ85gyx7fHMP3sgZModRKgW > PdxLjHQ3xOqsBmfGlAaeYSrAx7hryNaUqLE1xGDLkCaX7dywz5sH4kElqpRwGOvf > CvLBJ8df7qGLgX+B5VuAXOzGZxOCOhwBuMiSYwY8F/12tBhzW8nhaRGBuBBj6cAp > 7AkFFa/DsqVvCo+sYWt1+ekAt2LQWnE+cDaV2Ar84lG/fMYtvHDfNhdqLa1P6N7S > PG9rdfkv+jh5zlczIoNFVRVhVoPEs2ui28PVw8ArvOnUeeJrl60fdputvcXThUY/ > uea6/mDrRCLSUYpV9oyMxDdtR3pz0buD80Gk20HBgI/BHopD6H77DNpDAvy+Q3fF > wgluCpVvogYlj88l1uXZ > =jGrN > -----END PGP SIGNATURE----- > > _______________________________________________ > bind-users mailing list > [email protected] > https://lists.isc.org/mailman/listinfo/bind-users -- Kal Feher _______________________________________________ bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
