[knot-dns-users] Refreshing DNSKEY RRset signatures
jan.vcelak at nic.cz
Thu Aug 20 17:22:55 CEST 2015
thank you for the report! You have found a bug.
The DNSKEY RRSIG expiration time is really not considered when planning the
zone resign. Both the 1.6 and the 2.0 are affected.
The fix for this issue is currently being reviewed . I hope we'll release a
new Knot DNS patch version during the following week. Stay tuned.
Thanks and Regards,
On Tuesday, August 18, 2015 05:33:11 AM Antti Ristimäki wrote:
> I'm running Knot 2.0.0 and automatically signing my zone with manual key
> management policy. When I manually refreshed the signatures by running
> "knotc signzone <zone>", all the signatures were refreshed as expected,
> except the DNSKEY RRset, whose signature remained untouched. I thought
> this wouldn't be a big deal, as Knot would probably automatically
> refresh DNSKEY RRset signature when about 1/10 of its lifetime will be
> However, when I now look at "knotc zonestatus", it shows that the next
> resigning is scheduled far beyond the exipration of the DNSKEY RRset
> signature. So, is my DNSKEY RRset signature going to be expired or is
> DNSKEY handled in some special way so that it will be eventually
> refreshed before expiring?
> My current DNSKEY RRSIG will expire at 20150828172101:
> nxdomain.fi. 600 IN RRSIG DNSKEY 8 2 600 20150828172101
> 61894 nxdomain.fi. qQJm.....
> But the next resigning is scheduled on 2015-09-14:
> nxdomain.fi. type=master | serial=2015081708 | DNSSEC resign in
> 647h56m43s | automatic DNSSEC, resigning at: 2015-09-14T02:26:59
> knot-dns-users mailing list
> knot-dns-users at lists.nic.cz
More information about the knot-dns-users