[Opendnssec-user]Lots of Dead DNSKEYs in the Zone
sara at sinodun.com
Mon Feb 4 09:52:04 UTC 2013
I have opened an issue for this on our bug tracking system:
Would you be able to share your conf files and full logs either by uploading to the above issue or off-list?
(Also: If you register as a watcher of this issue then you will receive emails of all the updates to it.)
On 4 Feb 2013, at 08:13, wfXLtg== wrote:
> Hi All,
> As I posted earlier, the 'RR Does Not Exist' and ods-signer would not signs RRSIGs until it expires cause a lot of problems.
> My test tlds here have their KSK rollovered every 4H and ZSK rollovered every 2H, and after days of test you can see the amount of DNSKEYS
> exist in the zone file and most of which are dead.
> [gtld at index zone]$ dig @188.8.131.52 dstest1 dnskey +edns=0|grep DNSKEY|wc -l
> [gtld at index zone]$ dig @184.108.40.206 dstest2 dnskey +edns=0|grep DNSKEY|wc -l
> It's obvious opendnssec did not remove them in the zone, I will change the <purge> to 1H which was 14D by default, I hope this will help.
> I wrote a script to do nsupdate soa to the INBOUND bind and this can make opendnssec resign the expiring RRs,or the RRSIGs will keep expired, but it can not solve the Lots-of-Dead-DNSKEYs problem.
> I need your help guys.
> Best regards,
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
More information about the Opendnssec-user