Stephane Bortzmeyer <bortzme...@nic.fr> (Di 14 Dez 2010 14:48:53 CET): > On Tue, Dec 14, 2010 at 02:43:38PM +0100, > Heiko Schlittermann <h...@schlittermann.de> wrote > a message of 134 lines which said: > > > With checking disabled: > > # dig www.debian.org +cd +dnssec @192.168.0.1 > ... > > www.debian.org. 132 IN RRSIG A 5 3 300 > > 20110111094829 20101214094829 38208 www.debian.org. > > AR+irfLzNRWYgbJwp4Nf6M1o3xpANStnSMNQ7iechFhX9YdDUgx7vHLl > > 4/mjM6RbyHJiCyz5supU4ubuWT5QxjvG6IE/HgoimiEjq4XsP7ANSEdF > > 1B3y270gBxn+tO2ZDfNwLdob9k3AXJnyOVUq9cPVaa8ZcNZ8rhJ04JLF > > 3i3E9AphlUywmQPTNTCEtOoV > > Expired signature ket in the cache, may be? It ends at > 2010-12-14T09:48Z, which was several hours ago.
Sure? I'd say the signature expires 20110111094829 and was created 20101214094829. BTW expired sigs are logged as such, I think. [But I'm fare away from beeing a DNS(SEC) expert!] > > > ;; WHEN: Tue Dec 14 14:38:22 2010 > > What time zone? If it is german time, UTC+1, yes, the problem was an > expired signature. But why is the behaviour reproducable changing the bind versions back and forth? bind was restarted several times. I'd think, everything bind caches, is in memory. Files are used for secondary zone data only. dnssec-accept-expired is set to "yes" already. -- Heiko :: dresden : linux : SCHLITTERMAN.de GPG Key 48D0359B : 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B
signature.asc
Description: Digital signature
