Re: dnssec-policy: Old DNSKEYs still in zone despite status showing hidden

2022-08-12 Thread Magnus Holmgren
torsdag 11 augusti 2022 kl. 17:47:40 CEST skrev Matthijs Mekking: > Magnus, > > On 11-08-2022 11:26, Magnus Holmgren wrote: > > onsdag 10 augusti 2022 kl. 11:21:11 CEST skrev Matthijs Mekking: > >> On 10-08-2022 11:13, Magnus Holmgren wrote: > >>> One question: Is it > >>> necessary to use rndc

Re: dnssec-policy: Old DNSKEYs still in zone despite status showing hidden

2022-08-12 Thread Magnus Holmgren
torsdag 11 augusti 2022 kl. 17:41:09 CEST skrev Matthijs Mekking: > On 10-08-2022 11:21, Matthijs Mekking wrote: > >> The last zone, milltime.se, has become stuck. sudo rndc dnssec -status > >> reports > >> that the old keys are removed from the zone and the new keys are > >> omnipresent, > >> but

Re: dnssec-policy: Old DNSKEYs still in zone despite status showing hidden

2022-08-11 Thread Matthijs Mekking
Magnus, On 11-08-2022 11:26, Magnus Holmgren wrote: onsdag 10 augusti 2022 kl. 11:21:11 CEST skrev Matthijs Mekking: On 10-08-2022 11:13, Magnus Holmgren wrote: One question: Is it necessary to use rndc dnssec -checkds or is that only meant as a backup, and named is supposed to query the pare

Re: dnssec-policy: Old DNSKEYs still in zone despite status showing hidden

2022-08-11 Thread Matthijs Mekking
On 10-08-2022 11:21, Matthijs Mekking wrote: The last zone, milltime.se, has become stuck. sudo rndc dnssec -status reports that the old keys are removed from the zone and the new keys are omnipresent, but the log says "zone milltime.se/IN (signed): Key milltime.se/RSASHA1/22971 missing or

Re: dnssec-policy: Old DNSKEYs still in zone despite status showing hidden

2022-08-11 Thread Magnus Holmgren
onsdag 10 augusti 2022 kl. 11:21:11 CEST skrev Matthijs Mekking: > On 10-08-2022 11:13, Magnus Holmgren wrote: > > One question: Is it > > necessary to use rndc dnssec -checkds or is that only meant as a backup, > > and named is supposed to query the parent for DS records automatically? > > That

Re: dnssec-policy: Old DNSKEYs still in zone despite status showing hidden

2022-08-11 Thread Magnus Holmgren
onsdag 10 augusti 2022 kl. 11:21:11 CEST skrev Matthijs Mekking: > The subject of the mail seems to indicate a different problem than the > body, or am I missing something? Thanks for the reply. I probably should have changed the subject after I solved the problem midway. -- Magnus Holmgren, u

Re: dnssec-policy: Old DNSKEYs still in zone despite status showing hidden

2022-08-10 Thread Matthijs Mekking
Hi Magnus, On 10-08-2022 11:13, Magnus Holmgren wrote: Hi, I migrated a couple of zones from BIND 9.16.6 on SuSE to 9.16.27 on Debian and at the same time switched from auto-dnssec maintain to a dnssec-policy with RSASHA256 instead of RSASHA1 (actually, I first applied a policy matching the old

dnssec-policy: Old DNSKEYs still in zone despite status showing hidden

2022-08-10 Thread Magnus Holmgren
Hi, I migrated a couple of zones from BIND 9.16.6 on SuSE to 9.16.27 on Debian and at the same time switched from auto-dnssec maintain to a dnssec-policy with RSASHA256 instead of RSASHA1 (actually, I first applied a policy matching the old keys and with unlimited lifetime to avoid confusing BI