Re: "auto-dnssec maintain" stoped working again...

Michelle Konzack Sun, 02 Oct 2011 09:21:10 -0700

Hello Hauke Lampe,

Am 2011-10-01 02:02:56, hacktest Du folgendes herunter:
> Do you mean expired signatures or no signatures at all?


I have expired signatures...

> In the latter case, have you checked that the zone's keys are readable
> by named and still active?

Ehm yes

root@dns1 /etc/bind # ls -Al /etc/bind/master/net/tamay-dogan/*tamay-dogan*
-rw-r--r-- 1 bind adm  502 Oct  2 18:01 
/etc/bind/master/net/tamay-dogan/KSK_Kintranet1.tamay-dogan.net.+005+12154.key
-rw------- 1 bind adm 1.2K Oct  2 18:01 
/etc/bind/master/net/tamay-dogan/KSK_Kintranet1.tamay-dogan.net.+005+12154.private
-rw-r--r-- 1 bind adm  502 Oct  2 18:01 
/etc/bind/master/net/tamay-dogan/KSK_Kintranet2.tamay-dogan.net.+005+45271.key
-rw------- 1 bind adm 1.2K Oct  2 18:01 
/etc/bind/master/net/tamay-dogan/KSK_Kintranet2.tamay-dogan.net.+005+45271.private
-rw-rw-r-- 1 bind adm 2.2K Jul  3 17:10 
/etc/bind/master/net/tamay-dogan/net.tamay-dogan
-rw-rw-r-- 1 bind adm  249 Jun 17 22:33 
/etc/bind/master/net/tamay-dogan/net.tamay-dogan.conf
-rw-r--r-- 1 bind adm  256 Jul  3 17:10 
/etc/bind/master/net/tamay-dogan/net.tamay-dogan.conf.signed
-rw-rw-r-- 1 bind adm 1.1K Oct  2 18:01 
/etc/bind/master/net/tamay-dogan/net.tamay-dogan.intranet1
-rw-rw-r-- 1 bind adm  238 Oct  2 17:59 
/etc/bind/master/net/tamay-dogan/net.tamay-dogan.intranet1.conf
-rw-r--r-- 1 bind adm  245 Oct  2 18:01 
/etc/bind/master/net/tamay-dogan/net.tamay-dogan.intranet1.conf.signed
-rw-r--r-- 1 bind adm  13K Oct  2 18:01 
/etc/bind/master/net/tamay-dogan/net.tamay-dogan.intranet1.signed
-rw-rw-r-- 1 bind adm  798 Oct  2 18:01 
/etc/bind/master/net/tamay-dogan/net.tamay-dogan.intranet2
-rw-rw-r-- 1 bind adm  238 Oct  2 17:59 
/etc/bind/master/net/tamay-dogan/net.tamay-dogan.intranet2.conf
-rw-r--r-- 1 bind adm  245 Oct  2 18:01 
/etc/bind/master/net/tamay-dogan/net.tamay-dogan.intranet2.conf.signed
-rw-r--r-- 1 bind adm 8.2K Oct  2 18:01 
/etc/bind/master/net/tamay-dogan/net.tamay-dogan.intranet2.signed
-rw-r--r-- 1 bind adm 7.1K Jul 26 04:22 
/etc/bind/master/net/tamay-dogan/net.tamay-dogan.signed
-rw-r--r-- 1 bind adm  15K Jul 26 04:10 
/etc/bind/master/net/tamay-dogan/net.tamay-dogan.signed.jnl
-rw-r--r-- 1 bind adm  459 Oct  2 18:01 
/etc/bind/master/net/tamay-dogan/ZSK_Kintranet1.tamay-dogan.net.+005+28905.key
-rw------- 1 bind adm 1010 Oct  2 18:01 
/etc/bind/master/net/tamay-dogan/ZSK_Kintranet1.tamay-dogan.net.+005+28905.private
-rw-r--r-- 1 bind adm  459 Oct  2 18:01 
/etc/bind/master/net/tamay-dogan/ZSK_Kintranet2.tamay-dogan.net.+005+36762.key
-rw------- 1 bind adm 1010 Oct  2 18:01 
/etc/bind/master/net/tamay-dogan/ZSK_Kintranet2.tamay-dogan.net.+005+36762.private
-rw-r--r-- 1 bind adm  439 Jul  3 17:10 
/etc/bind/master/net/tamay-dogan/ZSK_Ktamay-dogan.net.+005+30945.key
-rw------- 1 bind adm 1010 Jul  3 17:10 
/etc/bind/master/net/tamay-dogan/ZSK_Ktamay-dogan.net.+005+30945.private

If I am right, this looks right.

> Try dnssec-settime -p all /path/to/keys/Kexample.com.+005+12345.key and
> look for "Activate:" and "Inactive:"

root@dns1 /etc/bind # dnssec-settime -p all 
/etc/bind/master/net/tamay-dogan/KSK_Ktamay-dogan.net.+005+12268.key
Created: Sun Jul  3 17:10:49 2011
Publish: Sun Jul  3 17:10:49 2011
Activate: Sun Jul  3 17:10:49 2011
Revoke: UNSET
Inactive: UNSET
Delete: UNSET

seems not very good...

root@dns1 /etc/bind # dnssec-settime -p all 
/etc/bind/master/net/tamay-dogan/KSK_Kintranet1.tamay-dogan.net.+005+12154.key
Created: Sun Oct  2 18:01:29 2011
Publish: Sun Oct  2 18:01:29 2011
Activate: Sun Oct  2 18:01:29 2011
Revoke: UNSET
Inactive: UNSET
Delete: UNSET
root@dns1 /etc/bind # dnssec-settime -p all 
/etc/bind/master/net/tamay-dogan/KSK_Kintranet2.tamay-dogan.net.+005+45271.key
Created: Sun Oct  2 18:01:34 2011
Publish: Sun Oct  2 18:01:34 2011
Activate: Sun Oct  2 18:01:34 2011
Revoke: UNSET
Inactive: UNSET
Delete: UNSET

I have added this two today...

> There have been a few bugfixes to automatic signing between 9.7.3 and
> 9.8. Maybe you hit one of those bugs.

Hmmm, i will ask the Debian Maintainers...

> Hauke.

Thanks, Greetings and nice Day/Evening
    Michelle Konzack

-- 
##################### Debian GNU/Linux Consultant ######################
   Development of Intranet and Embedded Systems with Debian GNU/Linux

itsystems@tdnet
Owner Michelle Konzack
                                    Tel: +49-176-86004575 office
Gewerbe Straße 3                    Tel: +49-177-9351947  mobil
77694 Kehl/Germany                  Tel: +33-6-61925193   mobil (France)

<http://www.itsystems.tamay-dogan.net/>  <http://www.flexray4linux.org/>
<http://www.debian.tamay-dogan.net/>         <http://www.can4linux.org/>

Jabber [email protected]
ICQ    #328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/

signature.pgp
Description: Digital signature

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users

Re: "auto-dnssec maintain" stoped working again...

Reply via email to