Re: DNSSEC auto-dnssec issue bind-9.7.2-P3
- From: Kalman Feher <kalman.feher@xxxxxxxxxxxxxxxxxx>
- Date: Mon, 17 Jan 2011 15:39:12 +0100
Have you tried more sane times?
Those don't look like sensible times even for a test, which is probably why
BIND isn't signing. I think you are below the sensitivity level for BIND to
sign automatically.
If you want to test, try using hours or days as values. When initially
testing I used lifetimes of a week, then increased to 1 month for ZSKs and 3
months for KSKs. That allowed me to test things quickly, but without
compromising the validity of the test.
On 17/01/11 2:47 PM, "Zbigniew Jasiński" <szopen@xxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all,
I have my test zone example configured with option auto-dnssec maintain;
zone "example" {
type master;
file "var/zone/example";
allow-update { loopback; };
allow-transfer { trusted; loopback; };
auto-dnssec maintain;
key-directory "var/keys/example";
};
in server conf there's also 'dnssec-enable yes'
and I've configured keys (KSK/ZSK) with timing options (same for both keys):
; Created: 20110114150841 (Fri Jan 14 16:08:41 2011)
; Publish: 20110114151339 (Fri Jan 14 16:13:39 2011)
; Activate: 20110114151839 (Fri Jan 14 16:18:39 2011)
; Inactive: 20110114152339 (Fri Jan 14 16:23:39 2011)
; Delete: 20110114152839 (Fri Jan 14 16:28:39 2011)
I started bind, send update for my example zone with NSEC3PARAM:
Jan 14 16:08:40 named[25297]: general: zone example/IN:
dns_zone_addnsec3chain(hash=1, iterations=12, salt=28EA1FFF42617C9D59B1)
Jan 14 16:08:40 named[25297]: general: zone example/IN:
zone_addnsec3chain(1,CREATE,12,28EA1FFF42617C9D59B1)
send the rndc sign command:
Jan 14 16:08:41 named[25297]: general: received control channel command
'sign example'
Jan 14 16:08:41 named[25297]: general: zone example/IN: reconfiguring
zone keys
Jan 14 16:08:42 named[25297]: general: zone example/IN:
zone_addnsec3chain(1,REMOVE|NONSEC,12,28EA1FFF42617C9D59B1)
Jan 14 16:08:42 named[25297]: general: zone example/IN: next key event:
14-Jan-2011 16:13:39.200
next key event is scheduled for 16:13:39.200 which is correct, and this
is the key Publish event:
Jan 14 16:13:39 named[25297]: general: zone example/IN: reconfiguring
zone keys
Jan 14 16:13:39 named[25297]: general: zone example/IN: next key event:
14-Jan-2011 16:23:39.234
but what with the Activate event??? in log I just see Publish, Inactive
and Delete events but without Activate event. zone is just no signed by
named.
If I use default settings when generating keys (Created, Publish,
Activate = NOW), change 'auto-dnssec maintain' to 'auto-dnssec allow'
and send 'rndc sign example' zone is signed without problems.
what's going on?
- --
regards
zbigniew jasinski
[SYStem OPerator]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJNNEh0AAoJEH26UYiRhe/g2WoP/i4Ecn5Jq78GFFlJGpde6fyd
vXN3pwFpWUvDSZqYQfLYMHg4PaI5RNDU2NLfnM0gnMZ83cXz0kw0h9bBj8O/EmXX
44+7/wheBnpOijlKItt2IjnBzFKV6uTu6nj5RtpbvTAMTEny0Hy4q41Y8zB8Mt4P
h0VuTi91q2WmSisa2bYnIKrQzQFR6W+nbPRFpxHyzj3SX2hdoqSBQkbNhmC+nCJR
nJQQa4u9JKcCtDkQeoRUiUVHNECuZSXMwCukXEagweEadP6EIPhC+TCyUTXKiR7s
9jQ/1svVmsKNqqFLgMf2w2x8oKXeAP/PvRzlyZlBwzHHgHBetgPsd1oKcHB9rElM
/rVNk8nzIadrp0TF7WEy4Ld4GdbwVGbiv0p+vDounPmm4KntwcxyFxpu+PZRs/tp
zt/z4KYrR+Z+1pNl6ojfg5mD7UTPEmMj9gFHhVuwdrcHP5EH/SkxofDFAB8C0IyX
LJ3jbKITqmLHhVCDWVLxwXws4/QUOTF/rU48zk1XxaEP80tmKO9PfgCYr4QPz3v4
UDPMvZyI5r0yqk+V5gxXMjWcbMh9K/lq00Nj4/dXCP9iIlvd0MkKdnfTHuMK5BNN
OGTrQlVVyGG6+iKU1XXAp0BahVjQnGk46EsKcqUXOjc/4bm/myvfG3WyLFm8okYD
412Ik3YKP3YpZvxqc9X6
=+ZO3
-----END PGP SIGNATURE-----
_______________________________________________
bind-users mailing list
bind-users@xxxxxxxxxxxxx
https://lists.isc.org/mailman/listinfo/bind-users
--
Kal Feher
.
- Prev by Date: AW: Dns doctoring/dnsmasq -V on bind?
- Next by Date: Re: AW: Dns doctoring/dnsmasq -V on bind?
- Previous by thread: DNSSEC auto-dnssec issue bind-9.7.2-P3
- Next by thread: Re: DNSSEC auto-dnssec issue bind-9.7.2-P3
- Index(es):
Relevant Pages
|
