1. Forum
  2. USENET
  3. comp.protocols.dns.bind

  • Re: dnssec-keygen getting dates wrong

    From Marcel de Riedmatten@mdr@dotforge.ch to bind-users on Sun Aug 30 21:03:36 2020
    From Newsgroup: comp.protocols.dns.bind

    Le dimanche 30 ao|+t 2020 |a 12:58 +0200, Mark Elkins a |-crit-a:
    Running BIND.. 9.16.6 on a Gentoo machine - so BIND is kept very much
    up to date.
    dnssec-keygen - Version: 9.16.6

    I create DNSSEC Keys in a manual process and in order to see when a
    Key was created (so I can rotate them - etc..) I look at the Creation
    date inside the 'key' file....
    # dnssec-keygen -a RSASHA256 fubar.com
    # cat Kfubar.com.+008+21010.key-a
    ; This is a zone-signing key, keyid 21010, for fubar.com.
    ; Created: 20200830105653 (Sun Aug 30 12:56:53 202)
    ; Publish: 20200830105653 (Sun Aug 30 12:56:53 202)
    ; Activate: 20200830105653 (Sun Aug 30 12:56:53 202)

    Can anyone spot an issue? Look carefully at the creation date, the
    year in particular!


    Hi

    it looks like a pretty printing issue.

    # dnssec-settime -p all-aKfubar.com.+008+21010.key

    should give you the correct timestamp.

    ---a
    Marcel de Riedmatten

    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Mark Andrews@marka@isc.org to Marcel de Riedmatten on Mon Aug 31 10:51:01 2020
    From Newsgroup: comp.protocols.dns.bind

    This is fixed in
    5486. [func] Add 'rndc dnssec -checkds' command to tell named
    that the DS record has been published in the parent.
    [GL #1613]
    Which is in the next maintenance release.
    Mark
    On 31 Aug 2020, at 05:03, Marcel de Riedmatten <mdr@dotforge.ch> wrote:

    Le dimanche 30 ao|+t 2020 |a 12:58 +0200, Mark Elkins a |-crit :
    Running BIND.. 9.16.6 on a Gentoo machine - so BIND is kept very much
    up to date.
    dnssec-keygen - Version: 9.16.6

    I create DNSSEC Keys in a manual process and in order to see when a
    Key was created (so I can rotate them - etc..) I look at the Creation
    date inside the 'key' file....
    # dnssec-keygen -a RSASHA256 fubar.com
    # cat Kfubar.com.+008+21010.key
    ; This is a zone-signing key, keyid 21010, for fubar.com.
    ; Created: 20200830105653 (Sun Aug 30 12:56:53 202)
    ; Publish: 20200830105653 (Sun Aug 30 12:56:53 202)
    ; Activate: 20200830105653 (Sun Aug 30 12:56:53 202)

    Can anyone spot an issue? Look carefully at the creation date, the
    year in particular!


    Hi

    it looks like a pretty printing issue.

    # dnssec-settime -p all Kfubar.com.+008+21010.key

    should give you the correct timestamp.

    --
    Marcel de Riedmatten

    _______________________________________________
    Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

    ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


    bind-users mailing list
    bind-users@lists.isc.org
    https://lists.isc.org/mailman/listinfo/bind-users
    --
    Mark Andrews, ISC
    1 Seymour St., Dundas Valley, NSW 2117, Australia
    PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
    --- Synchronet 3.21d-Linux NewsLink 1.2