[Opendnssec-user]Lots of Dead DNSKEYs in the Zone

=?us-ascii?B?wfXLtg==?= shuoleo at 126.com
Mon Feb 4 08:13:07 UTC 2013


Hi All,

As I posted earlier, the 'RR Does Not Exist' and ods-signer would not signs RRSIGs until it expires cause a lot of problems.
My test tlds here have their KSK rollovered every 4H and ZSK rollovered every 2H, and after days of test you can see the amount of DNSKEYS
exist in the zone file and most of which are dead.

[gtld at index zone]$ dig @202.173.9.4 dstest1 dnskey +edns=0|grep DNSKEY|wc -l
75
[gtld at index zone]$ dig @202.173.9.4 dstest2 dnskey +edns=0|grep DNSKEY|wc -l
67

It's obvious opendnssec did not remove them in the zone, I will change the <purge> to 1H which was 14D by default, I hope this will help.

I wrote a script to do nsupdate soa to the INBOUND bind and this can make opendnssec resign the expiring RRs,or the RRSIGs will keep expired, but it can not solve the Lots-of-Dead-DNSKEYs problem.

I need your help guys.


Best regards,
Stuart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20130204/ed075ee1/attachment.htm>


More information about the Opendnssec-user mailing list