Evan/et.al., I've updated to 9.10.2, adjusted the timers, etc., and have managed to follow the keyroll.systems test over night (a handful of key changes) plus still get the desired "AD" bit.
With the timing in mind, I looked at my unbound (I realize this is BIND users ;)) which wasn't keeping up with the rolls - I had neglected to speed up it's clock. Once I did that, it worked. My lesson is - besides just working out the configuration - testing RFC5011 takes more patience than just about any other feature of DNS/DNSSEC. RFC5011 is the most wall-clock driven mechanism we have. (Yes, signatures expire and TTL's lapse, but these can be set low in lab environments.) I have a suggestion - is there a way to query a BIND server for it's trust anchor key set? Perhaps it is unnecessary and perhaps it should only be allowed by authorized users. I say perhaps unnecessary because the information may be available on disk (which an administrator could get to via ssh, perhaps). Ed On 4/20/15, 15:12, "Evan Hunt" <e...@isc.org> wrote: >On Mon, Apr 20, 2015 at 06:42:42PM +0000, Edward Lewis wrote: >> Being that I'm working on a laptop (hence on on over the weekend) I've >>had >> to recreate the environment today. I'm a bit more puzzled now. > >There's a separate file that named creates to keep the current >managed keys state information -- it's based on the view name, >so in your case it'll be "recursive.mkeys" (and possibly >"recursive.mkeys.jnl"). I suspect it still has the key from >Friday in it, and that's messing things up. Delete that file and >reinitialize, then leave the server up and running (not forgetting >to use -T mkeytimers=H/D/M, where M is no more than 3600 seconds, >because keyroll.systems rolls its keys every hour and normal RFC >5011 processing can't handle that), and you should be in good shape. > >-- >Evan Hunt -- e...@isc.org >Internet Systems Consortium, Inc.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users