Re: AW: Bind 9, dnssec, and .key .private files physical deletion after the key id becomes deleted from zone (the key becomes outdated)

Mon, 24 Jan 2022 10:22:21 -0800 

Hi!! 

Thanks a lot for your answer!! 

I tried before the fact of renaming back and rndc sign... but does not
work.... just has removed the error from the log.... 

I have changed my key managing code, for not renaming to "-OLD"  the ZSK
(.key and .private) until have passed at least 2 days from the deletion
time... Let's see if this way works better....

Any more ideas mates?. 

Thank you so much for your time :) 

Best regards, 

El 2022-01-24 17:51, Tony Finch escribió:

> ATENCION
> ATENCION
> ATENCION!!! Este correo se ha enviado desde fuera de la organizacion. No 
> pinche en los enlaces ni abra los adjuntos a no ser que reconozca el 
> remitente y sepa que el contenido es seguro.
> 
> egoitz--- via bind-users <bind-users@lists.isc.org> wrote: 
> 
>> These are the contents of a cat of the private file I have renamed to
>> samename.private-OLD :
>> 
>> Created: 20211031230338
>> Publish: 20211110220241
>> Activate: 20211110220341
>> Inactive: 20211215230338
>> Delete: 20211217230338
> 
> Yes, it can be confusing when the state of the key files doesn't match the
> state of the zone.
> 
> I think you said you have renamed all your key files back to their usual
> non-OLD names. Good; that is necessary if named is still looking for a key
> file even if it shouldn't need it any more.
> 
> Then, try running `rndc sign <zone>`, to make named reload the keys. I
> think that should also get it to make whatever updates might be necessary.
> 
> Then look at the logs to see if there are errors, and look at the DNSKEY
> RRset (with its RRSIGs) to make sure it matches what you expect.
> 
> If that doesn't get things straightened out then, um, dunno :-)
> 
> I guess it is possible to get into a muddle if you try to move a key out
> of the way very soon after its delete time. By default, named does key
> maintenance infrequently, so I guess if you move the key after its
> deletion time but before the next key maintenance cycle, things will get
> out of sync. But I have not checked whether my guess is right or not.
> 
> Tony.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to