Commit ff283cc0 authored by Evan Hunt's avatar Evan Hunt
Browse files

[master] added omitted examples directory

parent 13fe015c
2010-02-21 19:43:15.018: debug: Check RFC5011 status
2010-02-21 19:43:15.018: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-21 19:43:15.018: debug: Check KSK status
2010-02-21 19:43:15.018: debug: No active KSK found: generate new one
2010-02-21 19:43:15.330: info: "dyn.example.net.": generated new KSK 52935
2010-02-21 19:43:15.330: debug: Check ZSK status
2010-02-21 19:43:15.330: debug: No active ZSK found: generate new one
2010-02-21 19:43:15.368: info: "dyn.example.net.": generated new ZSK 30323
2010-02-21 19:43:15.368: debug: Re-signing necessary: Modfied zone key set
2010-02-21 19:43:15.368: notice: "dyn.example.net.": re-signing triggered: Modfied zone key set
2010-02-21 19:43:15.368: debug: Writing key file "./dyn.example.net/dnskey.db"
2010-02-21 19:43:15.368: debug: Signing zone "dyn.example.net."
2010-02-21 19:43:15.368: notice: "dyn.example.net.": freeze dynamic zone
2010-02-21 19:43:15.368: debug: freeze dynamic zone "dyn.example.net."
2010-02-21 19:43:15.368: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
2010-02-21 19:43:15.374: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
2010-02-21 19:43:15.374: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
2010-02-21 19:43:15.382: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: Zone contains NSEC records. Use -u to update to NSEC3."
2010-02-21 19:43:15.382: error: "dyn.example.net.": signing failed!
2010-02-21 19:43:15.382: notice: "dyn.example.net.": thaw dynamic zone
2010-02-21 19:43:15.382: debug: thaw dynamic zone "dyn.example.net."
2010-02-21 19:43:15.382: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
2010-02-21 19:45:36.415: debug: Check RFC5011 status
2010-02-21 19:45:36.416: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-21 19:45:36.416: debug: Check KSK status
2010-02-21 19:45:36.416: debug: Check ZSK status
2010-02-21 19:45:36.416: debug: Re-signing not necessary!
2010-02-21 19:45:36.416: debug: Check if there is a parent file to copy
2010-02-21 19:45:41.448: debug: Check RFC5011 status
2010-02-21 19:45:41.448: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-21 19:45:41.448: debug: Check KSK status
2010-02-21 19:45:41.448: debug: Check ZSK status
2010-02-21 19:45:41.448: debug: Re-signing necessary: Option -f
2010-02-21 19:45:41.448: notice: "dyn.example.net.": re-signing triggered: Option -f
2010-02-21 19:45:41.448: debug: Writing key file "./dyn.example.net/dnskey.db"
2010-02-21 19:45:41.448: debug: Signing zone "dyn.example.net."
2010-02-21 19:45:41.448: notice: "dyn.example.net.": freeze dynamic zone
2010-02-21 19:45:41.448: debug: freeze dynamic zone "dyn.example.net."
2010-02-21 19:45:41.448: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
2010-02-21 19:45:41.457: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
2010-02-21 19:45:41.458: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
2010-02-21 19:45:41.473: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: NSEC3 generation requested with NSEC only DNSKEY"
2010-02-21 19:45:41.473: error: "dyn.example.net.": signing failed!
2010-02-21 19:45:41.473: notice: "dyn.example.net.": thaw dynamic zone
2010-02-21 19:45:41.473: debug: thaw dynamic zone "dyn.example.net."
2010-02-21 19:45:41.473: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
2010-02-21 19:47:06.899: debug: Check RFC5011 status
2010-02-21 19:47:06.899: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-21 19:47:06.899: debug: Check KSK status
2010-02-21 19:47:06.899: debug: Check ZSK status
2010-02-21 19:47:06.899: debug: Re-signing necessary: Option -f
2010-02-21 19:47:06.899: notice: "dyn.example.net.": re-signing triggered: Option -f
2010-02-21 19:47:06.899: debug: Writing key file "./dyn.example.net/dnskey.db"
2010-02-21 19:47:06.900: debug: Signing zone "dyn.example.net."
2010-02-21 19:47:06.900: notice: "dyn.example.net.": freeze dynamic zone
2010-02-21 19:47:06.900: debug: freeze dynamic zone "dyn.example.net."
2010-02-21 19:47:06.900: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
2010-02-21 19:47:06.910: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
2010-02-21 19:47:06.910: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
2010-02-21 19:47:06.926: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: NSEC3 iterations too big for weakest DNSKEY strength. Maximum iterations allowed 0."
2010-02-21 19:47:06.926: error: "dyn.example.net.": signing failed!
2010-02-21 19:47:06.926: notice: "dyn.example.net.": thaw dynamic zone
2010-02-21 19:47:06.926: debug: thaw dynamic zone "dyn.example.net."
2010-02-21 19:47:06.926: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
2010-02-21 19:58:40.972: debug: Check RFC5011 status
2010-02-21 19:58:40.972: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-21 19:58:40.972: debug: Check KSK status
2010-02-21 19:58:40.972: debug: Check ZSK status
2010-02-21 19:58:40.973: debug: Re-signing necessary: Option -f
2010-02-21 19:58:40.973: notice: "dyn.example.net.": re-signing triggered: Option -f
2010-02-21 19:58:40.973: debug: Writing key file "./dyn.example.net/dnskey.db"
2010-02-21 19:58:40.973: debug: Signing zone "dyn.example.net."
2010-02-21 19:58:40.973: notice: "dyn.example.net.": freeze dynamic zone
2010-02-21 19:58:40.973: debug: freeze dynamic zone "dyn.example.net."
2010-02-21 19:58:40.973: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
2010-02-21 19:58:40.982: debug: Dynamic Zone signing: zone file manually edited: Use it as new input file
2010-02-21 19:58:40.982: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
2010-02-21 19:58:40.983: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
2010-02-21 19:58:40.999: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: NSEC3 iterations too big for weakest DNSKEY strength. Maximum iterations allowed 0."
2010-02-21 19:58:40.999: error: "dyn.example.net.": signing failed!
2010-02-21 19:58:40.999: notice: "dyn.example.net.": thaw dynamic zone
2010-02-21 19:58:40.999: debug: thaw dynamic zone "dyn.example.net."
2010-02-21 19:58:40.999: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
2010-02-21 20:00:48.833: debug: Check RFC5011 status
2010-02-21 20:00:48.833: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-21 20:00:48.833: debug: Check KSK status
2010-02-21 20:00:48.833: debug: Check ZSK status
2010-02-21 20:00:48.833: debug: Re-signing necessary: Option -f
2010-02-21 20:00:48.833: notice: "dyn.example.net.": re-signing triggered: Option -f
2010-02-21 20:00:48.833: debug: Writing key file "./dyn.example.net/dnskey.db"
2010-02-21 20:00:48.834: debug: Signing zone "dyn.example.net."
2010-02-21 20:00:48.834: notice: "dyn.example.net.": freeze dynamic zone
2010-02-21 20:00:48.834: debug: freeze dynamic zone "dyn.example.net."
2010-02-21 20:00:48.834: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
2010-02-21 20:00:48.844: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
2010-02-21 20:00:48.844: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
2010-02-21 20:00:48.878: debug: Cmd dnssec-signzone return: "zone.db.dsigned"
2010-02-21 20:00:48.878: notice: "dyn.example.net.": thaw dynamic zone
2010-02-21 20:00:48.878: debug: thaw dynamic zone "dyn.example.net."
2010-02-21 20:00:48.878: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
2010-02-21 20:00:48.884: debug: Signing completed after 0s.
2010-02-21 20:01:11.175: debug: Check RFC5011 status
2010-02-21 20:01:11.175: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-21 20:01:11.175: debug: Check KSK status
2010-02-21 20:01:11.175: debug: Check ZSK status
2010-02-21 20:01:11.176: debug: Re-signing necessary: Option -f
2010-02-21 20:01:11.176: notice: "dyn.example.net.": re-signing triggered: Option -f
2010-02-21 20:01:11.176: debug: Writing key file "./dyn.example.net/dnskey.db"
2010-02-21 20:01:11.176: debug: Signing zone "dyn.example.net."
2010-02-21 20:01:11.176: notice: "dyn.example.net.": freeze dynamic zone
2010-02-21 20:01:11.176: debug: freeze dynamic zone "dyn.example.net."
2010-02-21 20:01:11.176: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
2010-02-21 20:01:11.181: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
2010-02-21 20:01:11.181: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
2010-02-21 20:01:11.202: debug: Cmd dnssec-signzone return: "zone.db.dsigned"
2010-02-21 20:01:11.202: notice: "dyn.example.net.": thaw dynamic zone
2010-02-21 20:01:11.203: debug: thaw dynamic zone "dyn.example.net."
2010-02-21 20:01:11.203: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
2010-02-21 20:01:11.208: debug: Signing completed after 0s.
2010-02-21 20:01:17.175: debug: Check RFC5011 status
2010-02-21 20:01:17.175: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-21 20:01:17.175: debug: Check KSK status
2010-02-21 20:01:17.175: debug: Check ZSK status
2010-02-21 20:01:17.176: debug: Re-signing not necessary!
2010-02-21 20:01:17.176: debug: Check if there is a parent file to copy
2010-02-25 23:42:29.326: debug: Check RFC5011 status
2010-02-25 23:42:29.326: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-02-25 23:42:29.326: debug: Check KSK status
2010-02-25 23:42:29.326: debug: Check ZSK status
2010-02-25 23:42:29.326: debug: Re-signing necessary: re-signing interval (2d) reached
2010-02-25 23:42:29.326: notice: "dyn.example.net.": re-signing triggered: re-signing interval (2d) reached
2010-02-25 23:42:29.326: debug: Writing key file "./dyn.example.net/dnskey.db"
2010-02-25 23:42:29.327: debug: Signing zone "dyn.example.net."
2010-02-25 23:42:29.327: notice: "dyn.example.net.": freeze dynamic zone
2010-02-25 23:42:29.327: debug: freeze dynamic zone "dyn.example.net."
2010-02-25 23:42:29.327: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
2010-02-25 23:42:29.388: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
2010-02-25 23:42:29.425: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
2010-02-25 23:42:29.471: debug: Cmd dnssec-signzone return: "zone.db.dsigned"
2010-02-25 23:42:29.471: notice: "dyn.example.net.": thaw dynamic zone
2010-02-25 23:42:29.471: debug: thaw dynamic zone "dyn.example.net."
2010-02-25 23:42:29.471: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
2010-02-25 23:42:29.486: debug: Signing completed after 0s.
2010-03-02 10:59:46.770: debug: Check RFC5011 status
2010-03-02 10:59:46.770: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-03-02 10:59:46.770: debug: Check KSK status
2010-03-02 10:59:46.770: debug: Check ZSK status
2010-03-02 10:59:46.770: debug: Re-signing necessary: re-signing interval (2d) reached
2010-03-02 10:59:46.770: notice: "dyn.example.net.": re-signing triggered: re-signing interval (2d) reached
2010-03-02 10:59:46.770: debug: Writing key file "./dyn.example.net/dnskey.db"
2010-03-02 10:59:46.770: debug: Signing zone "dyn.example.net."
2010-03-02 10:59:46.770: notice: "dyn.example.net.": freeze dynamic zone
2010-03-02 10:59:46.770: debug: freeze dynamic zone "dyn.example.net."
2010-03-02 10:59:46.770: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net."
2010-03-02 10:59:46.852: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db
2010-03-02 10:59:46.875: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1"
2010-03-02 10:59:46.950: debug: Cmd dnssec-signzone return: "zone.db.dsigned"
2010-03-02 10:59:46.950: notice: "dyn.example.net.": thaw dynamic zone
2010-03-02 10:59:46.950: debug: thaw dynamic zone "dyn.example.net."
2010-03-02 10:59:46.950: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net."
2010-03-02 10:59:46.964: debug: Signing completed after 0s.
2010-10-21 14:01:35.486: debug: Check RFC5011 status
2010-10-21 14:01:35.486: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-10-21 14:01:35.486: debug: Check KSK status
2010-10-21 14:01:35.486: debug: Check ZSK status
2010-10-21 14:01:35.486: debug: No active ZSK found: generate new one
2010-10-21 14:01:35.495: error: sub.example.net.": can't generate new ZSK
2010-10-21 14:01:35.495: debug: Re-signing necessary: Modfied zone key set
2010-10-21 14:01:35.496: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
2010-10-21 14:01:35.496: debug: Writing key file "./sub.example.net/dnskey.db"
2010-10-21 14:01:35.496: debug: Incrementing serial number in file "./sub.example.net/zone.db"
2010-10-21 14:01:35.496: debug: Signing zone "sub.example.net."
2010-10-21 14:01:35.496: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 9FC981 -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1"
2010-10-21 14:01:35.546: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: DNSSEC completeness test failed."
2010-10-21 14:01:35.546: error: "sub.example.net.": signing failed!
2010-10-21 14:02:09.146: debug: Check RFC5011 status
2010-10-21 14:02:09.146: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-10-21 14:02:09.146: debug: Check KSK status
2010-10-21 14:02:09.146: debug: Check ZSK status
2010-10-21 14:02:09.146: debug: No active ZSK found: generate new one
2010-10-21 14:02:09.156: error: sub.example.net.": can't generate new ZSK
2010-10-21 14:02:09.156: debug: Re-signing necessary: Modified keys
2010-10-21 14:02:09.156: notice: "sub.example.net.": re-signing triggered: Modified keys
2010-10-21 14:02:09.156: debug: Writing key file "./sub.example.net/dnskey.db"
2010-10-21 14:02:09.157: debug: Incrementing serial number in file "./sub.example.net/zone.db"
2010-10-21 14:02:09.157: debug: Signing zone "sub.example.net."
2010-10-21 14:02:09.157: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 BD326D -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1"
2010-10-21 14:02:09.208: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: DNSSEC completeness test failed."
2010-10-21 14:02:09.208: error: "sub.example.net.": signing failed!
2010-10-21 14:05:35.988: debug: Check RFC5011 status
2010-10-21 14:05:35.988: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-10-21 14:05:35.988: debug: Check KSK status
2010-10-21 14:05:35.988: debug: Check ZSK status
2010-10-21 14:05:35.988: debug: No active ZSK found: generate new one
2010-10-21 14:05:36.091: info: "sub.example.net.": generated new ZSK 7987
2010-10-21 14:05:36.091: debug: Re-signing necessary: Modfied zone key set
2010-10-21 14:05:36.091: notice: "sub.example.net.": re-signing triggered: Modfied zone key set
2010-10-21 14:05:36.091: debug: Writing key file "./sub.example.net/dnskey.db"
2010-10-21 14:05:36.091: debug: Incrementing serial number in file "./sub.example.net/zone.db"
2010-10-21 14:05:36.091: debug: Signing zone "sub.example.net."
2010-10-21 14:05:36.091: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 75DE06 -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1"
2010-10-21 14:05:36.170: debug: Cmd dnssec-signzone return: "zone.db.signed"
2010-10-21 14:05:36.170: debug: Signing completed after 0s.
2010-10-21 14:30:43.892: debug: Check RFC5011 status
2010-10-21 14:30:43.892: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2010-10-21 14:30:43.892: debug: Check KSK status
2010-10-21 14:30:43.892: debug: Check ZSK status
2010-10-21 14:30:43.892: debug: Re-signing not necessary!
2010-10-21 14:30:43.892: debug: Check if there is a parent file to copy
2014-11-14 18:04:37.686: debug: Check RFC5011 status
2014-11-14 18:04:37.686: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-14 18:04:37.686: debug: Check KSK status
2014-11-14 18:04:37.686: warning: "sub.example.net.": lifetime of key signing key 33176 exceeded since 4d8h26m2s
2014-11-14 18:04:37.686: debug: Check ZSK status
2014-11-14 18:04:37.686: debug: Lifetime(259200 +/-150 sec) of active key 7987 exceeded (980762 sec)
2014-11-14 18:04:37.686: debug: ->waiting for published key
2014-11-14 18:04:37.686: notice: "sub.example.net.": lifetime of zone signing key 7987 exceeded since 1w1d8h26m2s: ZSK rollover deferred: waiting for published key
2014-11-14 18:04:37.686: debug: New ZSK for publishing needed
2014-11-14 18:04:37.721: debug: ->creating new key 39632
2014-11-14 18:04:37.721: info: "sub.example.net.": new zone signing key 39632 generated for publishing
2014-11-14 18:04:37.721: debug: Re-signing necessary: Modified zone key set
2014-11-14 18:04:37.721: notice: "sub.example.net.": re-signing triggered: Modified zone key set
2014-11-14 18:04:37.721: debug: Writing key file "./sub.example.net/dnskey.db"
2014-11-14 18:04:37.721: debug: Incrementing serial number in file "./sub.example.net/zone.db"
2014-11-14 18:04:37.721: debug: Signing zone "sub.example.net."
2014-11-14 18:04:37.722: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 97195D -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1"
2014-11-14 18:04:37.729: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: NSEC3 generation requested with NSEC-only DNSKEY"
2014-11-14 18:04:37.729: error: "sub.example.net.": signing failed!
2014-11-14 18:09:16.251: debug: Check RFC5011 status
2014-11-14 18:09:16.251: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-14 18:09:16.251: debug: Check KSK status
2014-11-14 18:09:16.251: debug: No active KSK found: generate new one
2014-11-14 18:09:16.288: info: "sub.example.net.": generated new KSK 60396
2014-11-14 18:09:16.288: debug: Check ZSK status
2014-11-14 18:09:16.288: debug: No active ZSK found: generate new one
2014-11-14 18:09:16.329: info: "sub.example.net.": generated new ZSK 21503
2014-11-14 18:09:16.329: debug: Re-signing necessary: Modified zone key set
2014-11-14 18:09:16.329: notice: "sub.example.net.": re-signing triggered: Modified zone key set
2014-11-14 18:09:16.329: debug: Writing key file "./sub.example.net/dnskey.db"
2014-11-14 18:09:16.330: debug: Incrementing serial number in file "./sub.example.net/zone.db"
2014-11-14 18:09:16.330: debug: Signing zone "sub.example.net."
2014-11-14 18:09:16.330: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 B26BB7 -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1"
2014-11-14 18:09:16.427: debug: Cmd dnssec-signzone return: "zone.db.signed"
2014-11-14 18:09:16.427: debug: Signing completed after 0s.
2014-11-14 18:11:40.699: debug: Check RFC5011 status
2014-11-14 18:11:40.699: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-14 18:11:40.699: debug: Check KSK status
2014-11-14 18:11:40.699: debug: Check ZSK status
2014-11-14 18:11:40.699: debug: Re-signing necessary: Modified keys
2014-11-14 18:11:40.699: notice: "sub.example.net.": re-signing triggered: Modified keys
2014-11-14 18:11:40.699: debug: Writing key file "././sub.example.net/dnskey.db"
2014-11-14 18:11:40.699: debug: Incrementing serial number in file "././sub.example.net/zone.db"
2014-11-14 18:11:40.699: debug: Signing zone "sub.example.net."
2014-11-14 18:11:40.699: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 E8CBA9 -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1"
2014-11-14 18:11:40.876: debug: Cmd dnssec-signzone return: "zone.db.signed"
2014-11-14 18:11:40.876: debug: Signing completed after 0s.
2014-11-14 18:11:46.599: debug: Check RFC5011 status
2014-11-14 18:11:46.599: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-14 18:11:46.599: debug: Check KSK status
2014-11-14 18:11:46.599: debug: Check ZSK status
2014-11-14 18:11:46.599: debug: Re-signing not necessary!
2014-11-14 18:11:46.599: debug: Check if there is a parent file to copy
2014-11-14 18:15:54.379: debug: Check RFC5011 status
2014-11-14 18:15:54.379: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-14 18:15:54.379: debug: Check KSK status
2014-11-14 18:15:54.379: debug: Check ZSK status
2014-11-14 18:15:54.379: debug: Re-signing not necessary!
2014-11-14 18:15:54.379: debug: Check if there is a parent file to copy
2014-11-14 18:31:09.365: debug: Check RFC5011 status
2014-11-14 18:31:09.365: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-14 18:31:09.365: debug: Check KSK status
2014-11-14 18:31:09.365: debug: Check ZSK status
2014-11-14 18:31:09.365: debug: Re-signing not necessary!
2014-11-14 18:31:09.365: debug: Check if there is a parent file to copy
2014-11-14 18:31:27.335: debug: Check RFC5011 status
2014-11-14 18:31:27.335: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-14 18:31:27.335: debug: Check KSK status
2014-11-14 18:31:27.335: debug: Check ZSK status
2014-11-14 18:31:27.335: debug: Re-signing not necessary!
2014-11-14 18:31:27.335: debug: Check if there is a parent file to copy
2014-11-14 18:38:16.355: debug: Check RFC5011 status
2014-11-14 18:38:16.355: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-14 18:38:16.355: debug: Check KSK status
2014-11-14 18:38:16.355: debug: Check ZSK status
2014-11-14 18:38:16.355: debug: Re-signing not necessary!
2014-11-14 18:38:16.356: debug: Check if there is a parent file to copy
2014-11-15 18:16:50.447: debug: Check RFC5011 status
2014-11-15 18:16:50.447: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-15 18:16:50.447: debug: Check KSK status
2014-11-15 18:16:50.447: debug: Check ZSK status
2014-11-15 18:16:50.447: debug: Re-signing necessary: re-signing interval (1d) reached
2014-11-15 18:16:50.447: notice: "sub.example.net.": re-signing triggered: re-signing interval (1d) reached
2014-11-15 18:16:50.447: debug: Writing key file "././sub.example.net/dnskey.db"
2014-11-15 18:16:50.447: debug: Incrementing serial number in file "././sub.example.net/zone.db"
2014-11-15 18:16:50.447: debug: Signing zone "sub.example.net."
2014-11-15 18:16:50.448: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 DC5680 -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1"
2014-11-15 18:16:50.572: debug: Cmd dnssec-signzone return: "zone.db.signed"
2014-11-15 18:16:50.572: debug: Signing completed after 0s.
2014-11-15 18:16:54.202: debug: Check RFC5011 status
2014-11-15 18:16:54.202: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-15 18:16:54.202: debug: Check KSK status
2014-11-15 18:16:54.202: debug: Check ZSK status
2014-11-15 18:16:54.202: debug: Re-signing not necessary!
2014-11-15 18:16:54.202: debug: Check if there is a parent file to copy
2014-11-15 18:17:06.918: debug: Check RFC5011 status
2014-11-15 18:17:06.918: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-15 18:17:06.918: debug: Check KSK status
2014-11-15 18:17:06.918: debug: Check ZSK status
2014-11-15 18:17:06.918: debug: Re-signing not necessary!
2014-11-15 18:17:06.918: debug: Check if there is a parent file to copy
2014-11-15 18:17:17.242: debug: Check RFC5011 status
2014-11-15 18:17:17.242: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-15 18:17:17.242: debug: Check KSK status
2014-11-15 18:17:17.242: debug: Check ZSK status
2014-11-15 18:17:17.242: debug: Re-signing not necessary!
2014-11-15 18:17:17.242: debug: Check if there is a parent file to copy
2014-11-17 19:12:44.029: debug: Check RFC5011 status
2014-11-17 19:12:44.029: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-17 19:12:44.029: debug: Check KSK status
2014-11-17 19:12:44.029: debug: Check ZSK status
2014-11-17 19:12:44.029: debug: Lifetime(259200 +/-150 sec) of active key 21503 exceeded (263008 sec)
2014-11-17 19:12:44.029: debug: ->waiting for published key
2014-11-17 19:12:44.029: notice: "sub.example.net.": lifetime of zone signing key 21503 exceeded since 1h3m28s: ZSK rollover deferred: waiting for published key
2014-11-17 19:12:44.029: debug: New ZSK for publishing needed
2014-11-17 19:12:44.110: debug: ->creating new key 53867
2014-11-17 19:12:44.110: info: "sub.example.net.": new zone signing key 53867 generated for publishing
2014-11-17 19:12:44.110: debug: Re-signing necessary: Modified zone key set
2014-11-17 19:12:44.110: notice: "sub.example.net.": re-signing triggered: Modified zone key set
2014-11-17 19:12:44.110: debug: Writing key file "./sub.example.net/dnskey.db"
2014-11-17 19:12:44.111: debug: Incrementing serial number in file "./sub.example.net/zone.db"
2014-11-17 19:12:44.111: debug: Signing zone "sub.example.net."
2014-11-17 19:12:44.111: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 9F5882 -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1"
2014-11-17 19:12:44.250: debug: Cmd dnssec-signzone return: "zone.db.signed"
2014-11-17 19:12:44.250: debug: Signing completed after 0s.
2014-11-17 19:12:49.691: debug: Check RFC5011 status
2014-11-17 19:12:49.691: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-17 19:12:49.691: debug: Check KSK status
2014-11-17 19:12:49.691: debug: Check ZSK status
2014-11-17 19:12:49.691: debug: Lifetime(259200 +/-150 sec) of active key 21503 exceeded (263013 sec)
2014-11-17 19:12:49.691: debug: ->waiting for published key
2014-11-17 19:12:49.691: notice: "sub.example.net.": lifetime of zone signing key 21503 exceeded since 1h3m33s: ZSK rollover deferred: waiting for published key
2014-11-17 19:12:49.692: debug: Re-signing not necessary!
2014-11-17 19:12:49.692: debug: Check if there is a parent file to copy
2014-11-17 19:13:02.603: debug: Check RFC5011 status
2014-11-17 19:13:02.603: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-17 19:13:02.603: debug: Check KSK status
2014-11-17 19:13:02.603: debug: Check ZSK status
2014-11-17 19:13:02.603: debug: Lifetime(259200 +/-150 sec) of active key 21503 exceeded (263026 sec)
2014-11-17 19:13:02.603: debug: ->waiting for published key
2014-11-17 19:13:02.603: notice: "sub.example.net.": lifetime of zone signing key 21503 exceeded since 1h3m46s: ZSK rollover deferred: waiting for published key
2014-11-17 19:13:02.603: debug: Re-signing not necessary!
2014-11-17 19:13:02.603: debug: Check if there is a parent file to copy
2014-11-17 19:13:50.409: debug: Check RFC5011 status
2014-11-17 19:13:50.409: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-17 19:13:50.409: debug: Check KSK status
2014-11-17 19:13:50.409: debug: Check ZSK status
2014-11-17 19:13:50.409: debug: Lifetime(259200 +/-150 sec) of active key 21503 exceeded (263074 sec)
2014-11-17 19:13:50.409: debug: ->waiting for published key
2014-11-17 19:13:50.409: notice: "sub.example.net.": lifetime of zone signing key 21503 exceeded since 1h4m34s: ZSK rollover deferred: waiting for published key
2014-11-17 19:13:50.409: debug: Re-signing not necessary!
2014-11-17 19:13:50.409: debug: Check if there is a parent file to copy
2014-11-17 19:13:54.302: debug: Check RFC5011 status
2014-11-17 19:13:54.302: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-17 19:13:54.302: debug: Check KSK status
2014-11-17 19:13:54.302: debug: Check ZSK status
2014-11-17 19:13:54.302: debug: Lifetime(259200 +/-150 sec) of active key 21503 exceeded (263078 sec)
2014-11-17 19:13:54.302: debug: ->waiting for published key
2014-11-17 19:13:54.302: notice: "sub.example.net.": lifetime of zone signing key 21503 exceeded since 1h4m38s: ZSK rollover deferred: waiting for published key
2014-11-17 19:13:54.302: debug: Re-signing not necessary!
2014-11-17 19:13:54.302: debug: Check if there is a parent file to copy
2014-11-17 19:14:01.845: debug: Check RFC5011 status
2014-11-17 19:14:01.846: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2014-11-17 19:14:01.846: debug: Check KSK status
2014-11-17 19:14:01.846: debug: Check ZSK status
2014-11-17 19:14:01.846: debug: Lifetime(259200 +/-150 sec) of active key 21503 exceeded (263085 sec)
2014-11-17 19:14:01.846: debug: ->waiting for published key
2014-11-17 19:14:01.846: notice: "sub.example.net.": lifetime of zone signing key 21503 exceeded since 1h4m45s: ZSK rollover deferred: waiting for published key
2014-11-17 19:14:01.846: debug: Re-signing not necessary!
2014-11-17 19:14:01.846: debug: Check if there is a parent file to copy
../zkt-ls.sh
\ No newline at end of file
../zkt-signer.sh
\ No newline at end of file
../zkt-ls.sh
\ No newline at end of file
../zkt-signer.sh
\ No newline at end of file
#
# @(#) dnssec.conf vT0.96 (c) Feb 2005 - May 2008 Holger Zuleger hznet.de
#
# dnssec-zkt options
Zonedir: "extern"
Recursive: True
PrintTime: False
PrintAge: True
LeftJustify: False
# zone specific values
ResignInterval: 1w # (604800 seconds)
Sigvalidity: 10d # (864000 seconds)
Max_TTL: 8h # (28800 seconds)
Propagation: 5m # (300 seconds)
KEY_TTL: 1h # (3600 seconds)
Serialformat: unixtime
# signing key parameters
KSK_lifetime: 1y # (31536000 seconds)
KSK_algo: RSASHA1 # (Algorithm ID 5)
KSK_bits: 1300
KSK_randfile: "/dev/urandom"
ZSK_lifetime: 30d # (2592000 seconds)
ZSK_algo: RSASHA1 # (Algorithm ID 5)
ZSK_bits: 512
ZSK_randfile: "/dev/urandom"
# dnssec-signer options
LogFile: "zkt-ext.log"
LogLevel: "debug"
SyslogFacility: "none"
SyslogLevel: "notice"
VerboseLog: 2
Keyfile: "dnskey.db"
Zonefile: "zone.db"
DLV_Domain: ""
Sig_Pseudorand: True
#
# @(#) dnssec.conf vT0.96 (c) Feb 2005 - May 2008 Holger Zuleger hznet.de
#
# dnssec-zkt options
Zonedir: "intern"
Recursive: True
PrintTime: False
PrintAge: True
LeftJustify: False
# zone specific values
ResignInterval: 5h # (18000 seconds)
Sigvalidity: 1d # (86400 seconds)
Max_TTL: 30m # (1800 seconds)
Propagation: 1m # (60 seconds)
KEY_TTL: 30m # (1800 seconds)
Serialformat: unixtime
# signing key parameters
KSK_lifetime: 1y # (31536000 seconds)
KSK_algo: RSASHA1 # (Algorithm ID 5)
KSK_bits: 1300
KSK_randfile: "/dev/urandom"
ZSK_lifetime: 30d # (2592000 seconds)
ZSK_algo: RSASHA1 # (Algorithm ID 5)
ZSK_bits: 512
ZSK_randfile: "/dev/urandom"
# dnssec-signer options
LogFile: "zkt-int.log"
LogLevel: "debug"
SyslogFacility: "none"
SyslogLevel: "notice"
VerboseLog: 2
Keyfile: "dnskey.db"
Zonefile: "zone.db"
DLV_Domain: ""
Sig_Pseudorand: True
#!/bin/sh
#
# Shell script to start the dnssec-signer
# command out of the view directory
#
ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-signer -V extern "$@"
#!/bin/sh
#
# Shell script to start the dnssec-signer
# command out of the view directory
#
ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-signer -V intern "$@"
#!/bin/sh
#
# Shell script to start the dnssec-zkt command
# out of the view directory
#
ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-zkt --view extern "$@"
#!/bin/sh
#
# Shell script to start the dnssec-zkt command
# out of the view directory
#
ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-zkt --view intern "$@"
;-----------------------------------------------------------------
;
; @(#) extern/example.net/zone.db
;
;-----------------------------------------------------------------
$TTL 7200
@ IN SOA ns1.example.net. hostmaster.example.net. (
0 ; Serial
43200 ; Refresh
1800 ; Retry
2W ; Expire
7200 ) ; Minimum
IN NS ns1.example.net.
IN NS ns2.example.net.
ns1 IN A 1.0.0.5
IN AAAA 2001:db8::53
ns2 IN A 1.2.0.6
localhost IN A 127.0.0.1
; Delegation to secure zone; The DS resource record will
; be added by dnssec-signzone automatically if the
; keyset-sub.example.net file is present (run dnssec-signzone
; with option -g or use the dnssec-signer tool) ;-)
sub IN NS ns1.example.net.
; this file will have all the zone keys
$INCLUDE dnskey.db
2008-06-12 17:59:04.194: notice: running as ../../dnssec-signer -V extern -v -v
2008-06-12 17:59:04.195: debug: parsing zone "example.net." in dir "extern/example.net."
2008-06-12 17:59:04.196: debug: Check RFC5011 status
2008-06-12 17:59:04.196: debug: ->ksk5011status returns 0
2008-06-12 17:59:04.196: debug: Check ksk status
2008-06-12 17:59:04.196: debug: Re-signing not necessary!
2008-06-12 17:59:04.196: notice: end of run: 0 errors occured
2008-06-12 17:59:17.435: notice: running as ../../dnssec-signer -V extern -v -v
2008-06-12 17:59:17.436: debug: parsing zone "example.net." in dir "extern/example.net."
2008-06-12 17:59:17.436: debug: Check RFC5011 status
2008-06-12 17:59:17.436: debug: ->ksk5011status returns 0
2008-06-12 17:59:17.436: debug: Check ksk status
2008-06-12 17:59:17.436: debug: Re-signing not necessary!
2008-06-12 17:59:17.436: notice: end of run: 0 errors occured
2008-06-12 18:00:07.818: notice: running as ../../dnssec-signer -V extern -v -v
2008-06-12 18:00:07.819: debug: parsing zone "example.net." in dir "extern/example.net."
2008-06-12 18:00:07.819: debug: Check RFC5011 status
2008-06-12 18:00:07.819: debug: ->ksk5011status returns 0
2008-06-12 18:00:07.819: debug: Check ksk status
2008-06-12 18:00:07.819: debug: Re-signing not necessary!
2008-06-12 18:00:07.819: notice: end of run: 0 errors occured
2008-06-12 18:00:39.019: notice: running as ../../dnssec-signer -V extern -v -v
2008-06-12 18:00:39.020: debug: parsing zone "example.net." in dir "extern/example.net."
2008-06-12 18:00:39.020: debug: Check RFC5011 status
2008-06-12 18:00:39.020: debug: ->ksk5011status returns 0
2008-06-12 18:00:39.020: debug: Check ksk status
2008-06-12 18:00:39.020: debug: Re-signing not necessary!
2008-06-12 18:00:39.020: notice: end of run: 0 errors occured
2008-10-03 01:00:45.544: notice: ------------------------------------------------------------
2008-10-03 01:00:45.544: notice: running ../../dnssec-signer -V extern -v -v
2008-10-03 01:00:45.545: debug: parsing zone "example.net" in dir "extern/example.net"
2008-10-03 01:00:45.545: debug: Check RFC5011 status
2008-10-03 01:00:45.545: debug: ->not a rfc5011 zone, looking for a regular ksk rollover
2008-10-03 01:00:45.545: debug: Check KSK status
2008-10-03 01:00:45.545: debug: Check ZSK status
2008-10-03 01:00:45.545: debug: Lifetime(2592000 +/-150 sec) of active key 35744 exceeded (5018328 sec)
2008-10-03 01:00:45.546: debug: ->depreciate it
2008-10-03 01:00:45.546: debug: ->activate published key 10367
2008-10-03 01:00:45.546: notice: "example.net": lifetime of zone signing key 35744 exceeded: ZSK rollover done
2008-10-03 01:00:45.546: debug: New key for publishing needed
2008-10-03 01:00:45.614: debug: ->creating new key 14714
2008-10-03 01:00:45.614: info: "example.net": new key 14714 generated for publishing
2008-10-03 01:00:45.614: debug: Re-signing necessary: New zone key
2008-10-03 01:00:45.614: notice: "example.net": re-signing triggered: New zone key
2008-10-03 01:00:45.614: debug: Writing key file "extern/example.net/dnskey.db"
2008-10-03 01:00:45.614: debug: Signing zone "example.net"
2008-10-03 01:00:45.614: debug: Run cmd "cd extern/example.net; /usr/local/sbin/dnssec-signzone -g -p -o example.net -e +864000 -N unixtime zone.db K*.private"
2008-10-03 01:00:46.114: debug: Cmd dnssec-signzone return: "zone.db.signed"
2008-10-03 01:00:46.114: debug: Signing completed after 1s.
2008-10-03 01:00:46.114: debug: