[Opendnssec-user]Lots of Dead DNSKEYs in the Zone
Sara Dickinson
sara at sinodun.com
Mon Feb 4 09:52:04 UTC 2013
Hi Stuart,
I have opened an issue for this on our bug tracking system:
https://issues.opendnssec.org/browse/SUPPORT-51
Would you be able to share your conf files and full logs either by uploading to the above issue or off-list?
(Also: If you register as a watcher of this issue then you will receive emails of all the updates to it.)
Sara.
On 4 Feb 2013, at 08:13, wfXLtg== wrote:
> Hi All,
>
> As I posted earlier, the 'RR Does Not Exist' and ods-signer would not signs RRSIGs until it expires cause a lot of problems.
> My test tlds here have their KSK rollovered every 4H and ZSK rollovered every 2H, and after days of test you can see the amount of DNSKEYS
> exist in the zone file and most of which are dead.
>
> [gtld at index zone]$ dig @202.173.9.4 dstest1 dnskey +edns=0|grep DNSKEY|wc -l
> 75
> [gtld at index zone]$ dig @202.173.9.4 dstest2 dnskey +edns=0|grep DNSKEY|wc -l
> 67
>
> It's obvious opendnssec did not remove them in the zone, I will change the <purge> to 1H which was 14D by default, I hope this will help.
>
> I wrote a script to do nsupdate soa to the INBOUND bind and this can make opendnssec resign the expiring RRs,or the RRSIGs will keep expired, but it can not solve the Lots-of-Dead-DNSKEYs problem.
>
> I need your help guys.
>
>
> Best regards,
> Stuart
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
More information about the Opendnssec-user
mailing list