Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 590
    • Issues 590
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 98
    • Merge requests 98
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source ProjectsISC Open Source Projects
  • BINDBIND
  • Merge requests
  • !5617

Fix autosign system test, allow expired zone signatures to be replaced with KSK RRSIGs

  • Review changes

  • Download
  • Email patches
  • Plain diff
Merged Matthijs Mekking requested to merge 3035-dnssec-policy-stops-signing-when-removing-zsk into main Dec 03, 2021
  • Overview 16
  • Commits 5
  • Pipelines 10
  • Changes 9

BIND can log this warning:

    zone example.ch/IN (signed): Key example.ch/ECDSAP256SHA256/56340
      missing or inactive and has no replacement: retaining signatures.

This log can happen when BIND tries to remove signatures because the are about to expire or to be resigned. These RRsets may be signed with the KSK if the ZSK files has been removed from disk. When we have created a new ZSK we can replace the signatures creeated by the KSK with signatures from the new ZSK.

It complains about the KSK being missing or inactive, but actually it takes the key id from the RRSIG.

The warning is logged if BIND detects the private ZSK file is missing.

The warning is logged even if we were able to delete the signature.

With the change from this commit it only logs this warning if it is not okay to delete the signature.

Closes #3035 (closed), #3049 (closed)

Edited Jan 12, 2022 by Michał Kępień
Assignee
Assign to
Reviewers
Request review from
Time tracking
Source branch: 3035-dnssec-policy-stops-signing-when-removing-zsk