Hi Larry,
This is documented in the DNSSEC RFCs, but AFAICS it is not mentioned in
our documentation. I created a merge request to add such a note in the
appropriate places:
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5823
Best regards,
Matthijs
On 10-02-2022 18:23, Larry
On 02/10/2022 10:10 am, Matthijs Mekking wrote:
Hi,
There are several things wrong here. The gist of it is that there is
no valid ZSK and since the zone is not properly signed, BIND does not
want to publish the DS record (even if outside BIND you already
published the DS).
You can tell that
Hi,
There are several things wrong here. The gist of it is that there is no
valid ZSK and since the zone is not properly signed, BIND does not want
to publish the DS record (even if outside BIND you already published the
DS).
You can tell that BIND does not agree because it did not publish
version: bind9-devel-9.17.18.a0.2021.10.08
Debug logs from yesterday for this zone (none in todays log):
<183>1 2022-02-09T02:18:28.587884-06:00 thebighonker.lerctr.org named
44101 - - 09-Feb-2022 02:18:28.587 dnssec: debug 1: keymgr: keyring:
lerctr.org/RSASHA256/8385 (policy ler1)
<183>1
Hi Larry,
There has been several bug fixes for dnssec-policy since its
introduction. What version of 9.17 are you running?
I can't tell what causes the ds to stay in the hidden state. The timings
in the state file should allow it to move to the next state.
If you were able to turn on
Hi Larry,
Without more information it is hard to tell what is going on.
Can you share your dnssec-policy and the contents of the key state file?
And if you have useful logs (grep for keymgr) that would be handy too to
see what is going on.
If you prefer to share them off list, you can mail
Greetings,
new poster. I just converted over to DNSSEC-policy, and rolled my
KSK. I see:
key: 269 (RSASHA256), KSK
published: yes - since Sun Feb 6 14:31:32 2022
key signing:yes - since Sun Feb 6 14:31:32 2022
No rollover scheduled
- goal: omnipresent
-
7 matches
Mail list logo