[Opendnssec-user]Lots of Dead DNSKEYs in the Zone

Sara Dickinson sara at sinodun.com
Mon Feb 4 09:52:04 UTC 2013


Hi Stuart, 

I have opened an issue for this on our bug tracking system:

https://issues.opendnssec.org/browse/SUPPORT-51

Would you be able to share your conf files and full logs either by uploading to the above issue or off-list? 

(Also: If you register as a watcher of this issue then you will receive emails of all the updates to it.)

Sara.

On 4 Feb 2013, at 08:13, wfXLtg== wrote:

> Hi All,
>  
> As I posted earlier, the 'RR Does Not Exist' and ods-signer would not signs RRSIGs until it expires cause a lot of problems.
> My test tlds here have their KSK rollovered every 4H and ZSK rollovered every 2H, and after days of test you can see the amount of DNSKEYS
> exist in the zone file and most of which are dead.
>  
> [gtld at index zone]$ dig @202.173.9.4 dstest1 dnskey +edns=0|grep DNSKEY|wc -l
> 75
> [gtld at index zone]$ dig @202.173.9.4 dstest2 dnskey +edns=0|grep DNSKEY|wc -l
> 67
>  
> It's obvious opendnssec did not remove them in the zone, I will change the <purge> to 1H which was 14D by default, I hope this will help.
>  
> I wrote a script to do nsupdate soa to the INBOUND bind and this can make opendnssec resign the expiring RRs,or the RRSIGs will keep expired, but it can not solve the Lots-of-Dead-DNSKEYs problem.
>  
> I need your help guys.
>  
>  
> Best regards,
> Stuart
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user




More information about the Opendnssec-user mailing list