Thanks for providing the data.
So it looks to me that nothing has happened yet because you scheduled
the rollover at 20221122230000 (November 22, 2022, 23:00:00 UTC). That's
why no successor has been created yet, the datetime is still in the future.
You can see in the state file that the key will be retired at
2022-11-23 01:05:00 UTC. This is 2 hours and 5 minutes after the
rollover starts, that is the sum of the DNSKEY TTL plus the
publish-safety margin, plus the configured zone propagation delay.
So if all goes well, your rollover should start tonight (UTC).
You can set the log level to debug 1 and you will likely see the time in
seconds when the new successor needs to be generated/selected. ("keymgr:
new successor needed for DNSKEY XXXX (CSK) (policy default-nsec3) in
YYYY seconds").
Best regards,
Matthijs
On 21-11-2022 15:54, vom513 wrote:
On Nov 21, 2022, at 3:29 AM, Matthijs Mekking <matth...@isc.org> wrote:
Hi,
It is hard to see what the problem is without any configuration or state
information. Also, log level debug 3 gives you probably more useful logs when
investigating a problem.
Can you share (privately if you wish) the key **state** files, and the output
of 'rndc dnssec -status' for the given zone?
Yep, nothing top secret here. Here is rndc dnssec -status as well as the state
file. Judging by the lifetime / retirement - looks like I have a 2 hour window
after the rollover ? I suppose I can/should tweak/increase this lifetime in
the dnssec-policy ?
--
dnssec-policy: default-nsec3
current time: Mon Nov 21 09:50:11 2022
key: 46697 (ECDSAP256SHA256), CSK
published: yes - since Wed Nov 16 22:07:32 2022
key signing: yes - since Wed Nov 16 22:07:32 2022
zone signing: yes - since Wed Nov 16 22:07:32 2022
Next rollover scheduled on Tue Nov 22 18:00:00 2022
- goal: omnipresent
- dnskey: omnipresent
- ds: omnipresent
- zone rrsig: omnipresent
- key rrsig: omnipresent
; This is the state of key 46697, for acuity.tech.
Algorithm: 13
Length: 256
Lifetime: 511048
KSK: yes
ZSK: yes
Generated: 20221117030732 (Wed Nov 16 22:07:32 2022)
Published: 20221117030732 (Wed Nov 16 22:07:32 2022)
Active: 20221117030732 (Wed Nov 16 22:07:32 2022)
Retired: 20221123010500 (Tue Nov 22 20:05:00 2022)
Removed: 20221203021000 (Fri Dec 2 21:10:00 2022)
DSPublish: 20221118201223 (Fri Nov 18 15:12:23 2022)
PublishCDS: 20221118041232 (Thu Nov 17 23:12:32 2022)
DNSKEYChange: 20221117051232 (Thu Nov 17 00:12:32 2022)
ZRRSIGChange: 20221118041232 (Thu Nov 17 23:12:32 2022)
KRRSIGChange: 20221117051232 (Thu Nov 17 00:12:32 2022)
DSChange: 20221119221223 (Sat Nov 19 17:12:23 2022)
DNSKEYState: omnipresent
ZRRSIGState: omnipresent
KRRSIGState: omnipresent
DSState: omnipresent
GoalState: omnipresent
--
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
