DNSSEC Expired Keys

Issues related to configuring your network
Post Reply
dflanigan
Posts: 1
Joined: 2015/03/12 12:51:27

DNSSEC Expired Keys

Post by dflanigan » 2015/03/12 13:12:26

Hello All,

I seem to be missing the plot on re-signing keys. I had all my keys signed and golden and everything is working. I wrote a little perl script to re-sign all of my domains in one fell swoop, even generating new keys in the process. But obviously in my excitement I missed something.

So the command I use to re-sign my keys is as follows: $salt is generated by the script.

/usr/sbin/dnssec-signzone -S -A -3 $salt -N increment -o example.com -t /var/named/example.com.db

Running this command gets me a promising output of:

Verifying the zone using the following algorithms: NSEC3RSASHA1.
Zone fully signed:
Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
/var/named/example.com.db.signed
Signatures generated: 21
Signatures retained: 0
Signatures dropped: 0
Signatures successfully verified: 0
Signatures unsuccessfully verified: 0
Signing time in seconds: 0.052
Signatures per second: 400.472
Runtime in seconds: 0.077

However when i check one of the internet DNS Check tools (i.e. http://dnscheck.iis.se/ ) it still shows an expired signature:

DNSSEC signature expired: RRSIG(example.com/IN/SOA/13232)

Any idea what I am missing?

Post Reply