Hi,
It is hard to see what the problem is without any configuration or state
information. Also, log level debug 3 gives you probably more useful logs
when investigating a problem.
Can you share (privately if you wish) the key **state** files, and the
output of 'rndc dnssec -status' for the given zone?
Best regards,
Matthijs
On 20-11-2022 00:50, vom513 wrote:
Hello,
So I reconfigured one of my domains to use dnssec-policy. I’m using the policy
“default” + I’ve only added nsec3 stuff. All other timers / params are from
default. Working fine / as expected.
Luckily for me this is a domain that I don’t use much. So outages and mistakes
are easily tolerable.
After a bumpy start, I have the zone “happy” - that is, fully signed, DS in
parent, and all timers reading “omnipresent”.
I’m trying to use this ISC KB as a guide:
https://kb.isc.org/docs/dnssec-key-and-signing-policy
So I decided to try a rollover. So I did: rndc dnssec -rollover -key 12345 -when
20221122230000 example.com <http://example.com/>
This now shows up as scheduled in rndc dnssec -status.
However, I expected BIND to create a successor CSK. Nothing in the key dir,
nothing in logs, nothing in rndc status.
The whole point of course is to have two “overlapping” keys, two DS’es, i.e.
two chains of trust. And then when everything is happy timer-wise, the old key
(and DS) can go away.
Is BIND going to do this sometime before the actual rollover ? Or is there
something else I need to do ? Speaking of this - what exactly happens at the
rollover time ?
Thanks.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users