BIND 9.11.4-P2-RedHat-9.11.4-9.P2.el7 I'm testing zsk rollover on a currently unused domain, and expected the rollover to happen automatically Saturday, however it appears that it only partially has: according to https://dnssec-analyzer.verisignlabs.com/peakmail.com (if I read it right), the old key is still being used for signing the NSEC responses
Found 2 RRSIGs over DNSKEY RRset RRSIG=46671 and DNSKEY=46671 verifies the DNSKEY RRset Found 1 RRSIGs over NSEC RRset RRSIG=1410 and DNSKEY=1410 verifies the NSEC RRset NSEC proves no records of type A exist for peakmail.com Found 1 RRSIGs over SOA RRset RRSIG=46671 and DNSKEY=46671 verifies the SOA RRset It looks like the old key (1410) is still signing the NS records too: <ns6.peak.org> [117] $ dig +dnssec ns peakmail.com ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> +dnssec ns peakmail.com ... ;; ANSWER SECTION: peakmail.com. 2949 IN NS ns1.peak.org. peakmail.com. 2949 IN NS ns2.peak.org. peakmail.com. 2949 IN RRSIG NS 8 2 3600 20200306103311 20200205095819 1410 peakmail.com. YNtR43oUskSKPTGg3GIiH6V3icJhFsHg5RxH7UeQ9LPpN8c2UIWfbn/p zXd9EcxeYwjRL0BtDQ6ZZRKLq7UcUdpFBwVR6dJv+g0pJg9VUAVVM4t5 9HoAq3HdyoyVoXWoQiPcNg+qqAwzp42FxRI/qILCoApurX9rPxNESuDo FjzcXxOmGv3FNHKdIr0WqTb4BW9MIpJGF3WWymg5zFMqSv4BQJkIgWr/ XyDr6jhjvMLUAgF45+Gi5lEiqjzmwGb9XTxVJz9oMDCInh4Pi5185huV GXKkSGArZsI9t7Z+0Zi0E+s56cuN6Sq8J/HueYoxIWnUxr+35tyFRjvv SxLXWA== However the new key is signing the SOA record: <ns6.peak.org> [116] $ dig +dnssec soa peakmail.com ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> +dnssec soa ... ;; ANSWER SECTION: peakmail.com. 3600 IN SOA ns1.peak.org. hostmaster.peak.org. 2020012408 3600 900 604800 300 peakmail.com. 3600 IN RRSIG SOA 8 2 3600 20200324000000 20200222230000 46671 peakmail.com. YA/1d55blWOqwqsbcaKEP7JO4nRbI2OyzSvhcPWukAim5wDhFUx1OkAd 8kLPpGp7eO/WEAiyFk/JPxkOqLB0c/Lu1MlF9pmAFhUMzsVkDsYu1+uE kGyhUpj4GrOoA3xOpJ6rQLfmTTjGFTpCtrBmlIm/UltA9a3pw7PTwLks ZhpYU+a5CXhbimgBgk40Do9DGfN0ToB4R9w+AlFqAKX3UEpv8PiR/MaR nCfjWLwnbVjURBj0V3P1VJUX38v4rOVPAIivwesM7MhaVL1+s+Rfvu5r guCSkkY0XQc3jeKSRSE25I7AxWYTs9T8NBq5ZgFqyvHZN7ZZ4vwxwg/r hsvUug== The public key files in question: ; This is a zone-signing key, keyid 1410, for peakmail.com. ; Created: 20200110224135 (Fri Jan 10 14:41:35 2020) ; Publish: 20200110224135 (Fri Jan 10 14:41:35 2020) ; Activate: 20200110224135 (Fri Jan 10 14:41:35 2020) ; Inactive: 20200222000000 (Fri Feb 21 16:00:00 2020) ; Delete: 20200226000000 (Tue Feb 25 16:00:00 2020) peakmail.com. IN DNSKEY 256 3 8 AwEAAd44dDiBOaLFp/sRC6Pr0Baas/gcR1udt/PFFP8JPbBU82Sv1bH6 d/+8HsH7oYYBJaEaupIgrVqi2RzzdvnbvvPJ0mEEnCrVysGpIZCORimR 7OA+DVz6FZHcvi7PE8yaY7D09PbghnhiKBnk+obhqbTqjfyazPu+amM6 aJxg/2crq0+w/XRcuwQ40Oj/iK/c6fnPm1GxfTQBB11jpMOWc1uwsFxw Xgcv1bVUc4H6ERk0MrH2wZQTvrh2XG1WQju6uRSi5YE+dXy2HYH/YK02 mXvOdB2YPhddap6u2XQC1zrZcEtiIT1ifWcxQYzhAT5/xoFct3oH0m46 iW5vVtYhACc= ; This is a zone-signing key, keyid 46671, for peakmail.com. ; Created: 20200218234802 (Tue Feb 18 15:48:02 2020) ; Publish: 20200219000000 (Tue Feb 18 16:00:00 2020) ; Activate: 20200222000000 (Fri Feb 21 16:00:00 2020) peakmail.com. IN DNSKEY 256 3 8 AwEAAbMVxTZ9vttRsad5iBUOXflyn+Px1U0tQ7taNBNxRpHy0GFn/mtI W/S4xNorMNj7acKqzOzgXxUH90tc0PYbpg17WEGIyJC0OtlQJExpASXd 7cXG9Se6RvWDhWiiiEs7Z4fAVEzqegohK/V86TFY5+uBd1uN8DVBtHnz M1IBekumCyMliqHL4+7xtVrZccu2CINo6TukJvfz+SI/jQJUjXbfyuDN uVUPE+JVeuiwPC1Y++Wg+S9oJrpsSp8Vm+j/NqdescDRknhWMYZGQ5HL 6xXgrqGZJ6EGC3FgH7WXU6oAmYxSZE8mGZp/2IiXLTefX8Si3bDMLxOe Av7p/BAAbgM=
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users