[Opendnssec-user]Lots of Dead DNSKEYs in the Zone
matthijs at nlnetlabs.nl
Tue Feb 5 14:01:33 UTC 2013
The RR does not exist is a warning message: The signer is signing an
RRset, but there are RRs in memory that are not committed to the zone.
This is a strange situation, hence I am printing a warning message.
It gives a clue that there is a bug. And there is: If Inbound Adapter is
up to date or unchanged, also do a transfer transaction in order to
correctly update the new DNSKEYs and NSEC3PARAM in case of a change in
Only the 1.4.0rc2 is affected. I fixed it in trunk r7011. Thanks for
On 02/04/2013 09:13 AM, ÁõË¶ wrote:
> Hi All,
> As I posted earlier, the 'RR Does Not Exist' and ods-signer would not
> signs RRSIGs until it expires cause a lot of problems.
> My test tlds here have their KSK rollovered every 4H and ZSK rollovered
> every 2H, and after days of test you can see the amount of DNSKEYS
> exist in the zone file and most of which are dead.
> [gtld at index zone]$ dig @220.127.116.11 dstest1 dnskey +edns=0|grep DNSKEY|wc -l
> [gtld at index zone]$ dig @18.104.22.168 dstest2 dnskey +edns=0|grep DNSKEY|wc -l
> It's obvious opendnssec did not remove them in the zone, I will change
> the <purge> to 1H which was 14D by default, I hope this will help.
Purge removes keys from the database, not from the zone.
> I wrote a script to do nsupdate soa to the INBOUND bind and this can
> make opendnssec resign the expiring RRs,or the RRSIGs will keep expired,
> but it can not solve the Lots-of-Dead-DNSKEYs problem.
> I need your help guys.
> Best regards,
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 553 bytes
Desc: OpenPGP digital signature
More information about the Opendnssec-user