Bind 9, dnssec, and .key .private files physical deletion after the key id becomes deleted from zone (the key becomes outdated)

Good morning, I have a DNSSEC "bump in wire" server, which uses "inline-signing yes;" and "auto-dnssec maintain;" for that reason. I do the task of ensuring always are valid keys in the zone with an script that generates them whenever is needed. All fine until here and all working. I have se

AW: Bind 9, dnssec, and .key .private files physical deletion after the key id becomes deleted from zone (the key becomes outdated)

@lists.isc.org Betreff: Bind 9, dnssec, and .key .private files physical deletion after the key id becomes deleted from zone (the key becomes outdated) Good morning, I have a DNSSEC "bump in wire" server, which uses "inline-signing yes;" and "auto-dnssec maintain;&qu

Re: Bind 9, dnssec, and .key .private files physical deletion after the key id becomes deleted from zone (the key becomes outdated)

How ‘named’ manages DNSSEC is very different to how 'dnssec-signzone' manages DNSSEC. When you tell named to inactivate a DNSKEY it stops re-signing the zone with it and it stops signing new records added to the zone with it. It DOES NOT immediately replace all RRSIGs generated using that key

Re: Bind 9, dnssec, and .key .private files physical deletion after the key id becomes deleted from zone (the key becomes outdated)

Hi Mark!! Thank you so much for your answer!! and your time!!. I have a couple of questions. I ask them between your lines and in blue for instance... for emphasizing and being easier to see what I'm referring to. I'm talking about ZSK keys in the questions I am asking in blue. El 2022-01-25 0

Re: Bind 9, dnssec, and .key .private files physical deletion after the key id becomes deleted from zone (the key becomes outdated)

> On 25 Jan 2022, at 11:55, ego...@ramattack.net wrote: > > Hi Mark!! > > > > Thank you so much for your answer!! and your time!!. > > > > I have a couple of questions. I ask them between your lines and in blue for > instance... for emphasizing and being easier to see what I'm referring t

Re: Bind 9, dnssec, and .key .private files physical deletion after the key id becomes deleted from zone (the key becomes outdated)

Hi Mark!!! Thanks again!!!. Very very thankful really. Please allow me to answer you something more as we found a guru here :) :) But then Mark, what does a key deletion time of a key mean?. I understood that when the deletion time was overtaken in a ZSK, the key dissapeared from the DNSKEY and

Re: Bind 9, dnssec, and .key .private files physical deletion after the key id becomes deleted from zone (the key becomes outdated)

Hi!! Don't really know if it could help, but I generate the ZSK keys this way : /usr/local/sbin/dnssec-keygen -3 -a 8 -b 1024 -P now -A now -I +45d -D +47d _ Cheers!! El 2022-01-25 02:48, Mark Andrews escribió: > On 25 Jan 2022, at 11:55, ego...@ramattack.net wrote: > > Hi Mark

Re: Bind 9, dnssec, and .key .private files physical deletion after the key id becomes deleted from zone (the key becomes outdated)

DNSSEC involves lots of timing / co-ordination points and if any of them get delayed for any reason the following ones also need to be delayed. While dnssec-keygen will allow you to set all of the timers for all of a keys life, it is bad practice to do that. If you are going to set the timers

Re: Bind 9, dnssec, and .key .private files physical deletion after the key id becomes deleted from zone (the key becomes outdated)

Hi Mark! Very thankful again for your time. Sorry for answering so late, but I was not at the office yesterday. I answer below in blue for instance... El 2022-01-27 02:56, Mark Andrews escribió: > DNSSEC involves lots of timing / co-ordination points and if any of them get > delayed for any re

Re: AW: Bind 9, dnssec, and .key .private files physical deletion after the key id becomes deleted from zone (the key becomes outdated)

s key. After key deactivation I waited the RRSIG lifetime > before deleting them. > > regards > > Klaus > > VON: bind-users IM AUFTRAG VON egoitz--- > via bind-users > GESENDET: Montag, 24. Jänner 2022 13:00 > AN: bind-users@lists.isc.org > BETREFF: Bind 9, dnssec

Re: AW: Bind 9, dnssec, and .key .private files physical deletion after the key id becomes deleted from zone (the key becomes outdated)

;> via bind-users >> GESENDET: Montag, 24. Jänner 2022 13:00 >> AN: bind-users@lists.isc.org >> BETREFF: Bind 9, dnssec, and .key .private files physical deletion after the >> key id becomes deleted from zone (the key becomes outdated) >> >> Good morning, >&

Re: AW: Bind 9, dnssec, and .key .private files physical deletion after the key id becomes deleted from zone (the key becomes outdated)

aus > > VON: bind-users IM AUFTRAG VON egoitz--- > via bind-users > GESENDET: Montag, 24. Jänner 2022 13:00 > AN: bind-users@lists.isc.org > BETREFF: Bind 9, dnssec, and .key .private files physical deletion after the > key id becomes deleted from zone (the key becomes ou

Re: AW: Bind 9, dnssec, and .key .private files physical deletion after the key id becomes deleted from zone (the key becomes outdated)

this key. After key deactivation I waited the RRSIG lifetime > before deleting them. > > regards > > Klaus > > VON: bind-users IM AUFTRAG VON egoitz--- > via bind-users > GESENDET: Montag, 24. Jänner 2022 13:00 > AN: bind-users@lists.isc.org > BETREFF: Bind 9

Re: AW: Bind 9, dnssec, and .key .private files physical deletion after the key id becomes deleted from zone (the key becomes outdated)

by this key. After key deactivation I waited the RRSIG lifetime > before deleting them. > > regards > > Klaus > > VON: bind-users IM AUFTRAG VON egoitz--- > via bind-users > GESENDET: Montag, 24. Jänner 2022 13:00 > AN: bind-users@lists.isc.org > BETREFF:

Re: AW: Bind 9, dnssec, and .key .private files physical deletion after the key id becomes deleted from zone (the key becomes outdated)

egoitz--- via bind-users wrote: > > These are the contents of a cat of the private file I have renamed to > samename.private-OLD : > > Created: 20211031230338 > Publish: 2020220241 > Activate: 2020220341 > Inactive: 20211215230338 > Delete: 20211217230338 Yes, it can be confusing when the

Re: AW: Bind 9, dnssec, and .key .private files physical deletion after the key id becomes deleted from zone (the key becomes outdated)

Hi!! Thanks a lot for your answer!! I tried before the fact of renaming back and rndc sign... but does not work just has removed the error from the log I have changed my key managing code, for not renaming to "-OLD" the ZSK (.key and .private) until have passed at least 2 days from t