Hi Mark!!
Thank you so much for your answer!! and your time!!.
I have a couple of questions. I ask them between your lines and in blue
for instance... for emphasizing and being easier to see what I'm
referring to. I'm talking about ZSK keys in the questions I am asking in
blue.
El 2022-01-25 00:36, Mark Andrews escribió:
> How 'named' manages DNSSEC is very different to how 'dnssec-signzone' manages
> DNSSEC. When you tell named to
> inactivate a DNSKEY it stops re-signing the zone with it and it stops signing
> new records added to the zone
> with it.
>
> THE FACT IS, I DON'T TELL NAMED NOTHING REALLY. IT MAINTAINS THE ZONE
> SIGNATURES (I'M USING INLINE-SIGNING YES; AUTO-DNSSEC MAINTAIN; PER ZONE). I
> JUST PROVIDE IT KEYS AND THEN I WAIT, UNTIL THE ZSK KEY'S DELETE TIME
> ARRIVES, THEN I REMOVE IT'S FILES (.KEY AND .PRIVATE). I DON'T WAIT UNTIL THE
> INACTIVE TIME. I WAIT UNTIL THE DELETE TIME (NOT THE INACTIVE TIME). AFTER
> THE DELETE TIME OF THE KEY, CAN STILL RECORDS (RRSIGS) EXIST SIGNED WITH THAT
> KEY THEN?.
>
> It DOES NOT immediately replace all RRSIGs generated using that key. Those
> records will be replaced
> over the sig-validity-interval as they fall due for re-signing. Once all
> those RRSIG records have been
> replaced and they have expired from caches, you can then delete the DNSKEY
> record.
>
> With the default sig-validity-interval (30) that takes up to 22.5 days to
> which you have to add the record TTL.
>
> OK, BUT DOES SIG-VALIDITY-INTERVAL AFFECT TOO, AFTER THE KEY DELETION DATE?.
> OR DOES IT AFFECT ONLY FROM THE INACTIVATION DATE TO THE DELETION DATE OF A
> KEY?.
>
> Mark
>
> BEST REGARDS
>
> On 25 Jan 2022, at 05:21, egoitz--- via bind-users <bind-users@lists.isc.org>
> wrote:
>
> Hi!!
>
> Thanks a lot for your answer!!
>
> I tried before the fact of renaming back and rndc sign... but does not
> work.... just has removed the error from the log....
>
> I have changed my key managing code, for not renaming to "-OLD" the ZSK
> (.key and .private) until have passed at least 2 days from the deletion
> time... Let's see if this way works better....
>
> Any more ideas mates?.
>
> Thank you so much for your time :)
>
> Best regards,
>
> El 2022-01-24 17:51, Tony Finch escribió:
>
> ATENCION
> ATENCION
> ATENCION!!! Este correo se ha enviado desde fuera de la organizacion. No
> pinche en los enlaces ni abra los adjuntos a no ser que reconozca el
> remitente y sepa que el contenido es seguro.
>
> egoitz--- via bind-users <bind-users@lists.isc.org> wrote:
> These are the contents of a cat of the private file I have renamed to
> samename.private-OLD :
>
> Created: 20211031230338
> Publish: 20211110220241
> Activate: 20211110220341
> Inactive: 20211215230338
> Delete: 20211217230338
> Yes, it can be confusing when the state of the key files doesn't match the
> state of the zone.
>
> I think you said you have renamed all your key files back to their usual
> non-OLD names. Good; that is necessary if named is still looking for a key
> file even if it shouldn't need it any more.
>
> Then, try running `rndc sign <zone>`, to make named reload the keys. I
> think that should also get it to make whatever updates might be necessary.
>
> Then look at the logs to see if there are errors, and look at the DNSKEY
> RRset (with its RRSIGs) to make sure it matches what you expect.
>
> If that doesn't get things straightened out then, um, dunno :-)
>
> I guess it is possible to get into a muddle if you try to move a key out
> of the way very soon after its delete time. By default, named does key
> maintenance infrequently, so I guess if you move the key after its
> deletion time but before the next key maintenance cycle, things will get
> out of sync. But I have not checked whether my guess is right or not.
>
> Tony.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/ for more
information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users