[Yeti DNS Discuss] First KSK rollover in Yeti Testbed
Kovalenko Dmitry
d.kovalenko at msk-ix.ru
Wed Jul 1 16:43:13 UTC 2015
Hello
Stephane, initial KSK is published at github
https://github.com/BII-Lab/Yeti-Project/blob/master/domain/KSK.pub
". IN DNSKEY 257 3 8
AwEAAaP3gGQ4db0tAiDEky0dcUNGeI1aTDYP5NFxzhbdpD60ZhKLVV4K
yxPmoSNUpq5Fv5M0iBwK1Tyswsyq/9sMSoZ8zx8aT3ho1YnPsSqQeJfj
TT1WsX6YZ5Kw6B2QkjRNa6OMGZ96Kn8AI/slqsw+z8hY49Sn3baeo9iJ
xHPzloNc2dQkW4aLqzNEYxnuoJsthCfGrPSAXlUjY9m3YKIaEWR5WFYQ
k770fT+gGWLk/54Vp0sG+Lw75JZnwhDhixPFaToTDNqbHQmkEylq1XJL
O15uZ/+RZNRfTXZKO4fVR0tMEbMAITqRmyP8xLXY4RXbS4J32gnenQbz ABX8sQmwO7s=
"
and it differs from what you have sent.
So I think your resolver picked up new KSK, but dropped old one.
The reason is yeti root zone inconsistency
> dig @bii.dns-lab.net. -t dnskey . +short
257 3 8 AwEAAaP3gGQ4db0tAiDEky0dcUNGeI1aTDYP5NFxzhbdpD60ZhKLVV4K
yxPmoSNUpq5Fv5M0iBwK1Tyswsyq/9sMSoZ8zx8aT3ho1YnPsSqQeJfj
TT1WsX6YZ5Kw6B2QkjRNa6OMGZ96Kn8AI/slqsw+z8hY49Sn3baeo9iJ
xHPzloNc2dQkW4aLqzNEYxnuoJsthCfGrPSAXlUjY9m3YKIaEWR5WFYQ
k770fT+gGWLk/54Vp0sG+Lw75JZnwhDhixPFaToTDNqbHQmkEylq1XJL
O15uZ/+RZNRfTXZKO4fVR0tMEbMAITqRmyP8xLXY4RXbS4J32gnenQbz ABX8sQmwO7s=
256 3 8 AwEAAa5p5OEermWXk4GrzP1wVvYB7YHGZUOQwNEqgzlsMJFjDcbeHatg
Hwda0HDOP3jsSJd+P9FFmOeDnCBhWtzfch3WVvqEboX+Lw4Y1vc/uwwx
BW0eAARgzruhucg8RJogCCa+0wBjeYD1PYZjpt5ENfSKVcnJeYMFARSZ QXtPnZ0L
257 3 8 AwEAAchb6LrHCdz9Yo55u1id/b+X1FqVDF66xNrhbgnV+vtpiq7pDsT8
KgzSijNuGs4GLGsMhVE/9H0wOtmVRUQqQ50PHZsiqg8gqB6i5zLortjp
aCLZS7Oke1xP+6LzVRgT4c8NXlRBg3m/gDjzijBD0BMACjVGZNv0gReA
g2OCr9dBrweE6DnM6twG7D2NyuGjpWzKeJfNd3Hek39V9NGHuABGkmYG
16XCao37IWcP/s/57HuBom5U3SNfuzfVDppokatuL6dXp9ktuuVXsESc
/rUERU/GPleuNfRuPHFr3URmrRud4DYbRWNVIsxqkSLrCldDjP1Hicf3 S8NgVHJTSRE=
256 3 8 AwEAAa7cUrnJqj2TgFoDK2oeP/tvqNegCVUsg8gq4AnU8LOzNDaV6Kzb
OlQAjXwHzKWI+KWVD01h5q08dVnCcDEboamoNjBQN3hObq0x/8/OCrPf
bl4JkoKU5etD3i11UXOaKqFxKmxFfIh32N9EZxKZcxUQeDE1tHBpreUu aOiTVgN9
> dig @yeti-ns.wide.ad.jp. -t dnskey . +short
256 3 8 AwEAAa7cUrnJqj2TgFoDK2oeP/tvqNegCVUsg8gq4AnU8LOzNDaV6Kzb
OlQAjXwHzKWI+KWVD01h5q08dVnCcDEboamoNjBQN3hObq0x/8/OCrPf
bl4JkoKU5etD3i11UXOaKqFxKmxFfIh32N9EZxKZcxUQeDE1tHBpreUu aOiTVgN9
256 3 8 AwEAAa5p5OEermWXk4GrzP1wVvYB7YHGZUOQwNEqgzlsMJFjDcbeHatg
Hwda0HDOP3jsSJd+P9FFmOeDnCBhWtzfch3WVvqEboX+Lw4Y1vc/uwwx
BW0eAARgzruhucg8RJogCCa+0wBjeYD1PYZjpt5ENfSKVcnJeYMFARSZ QXtPnZ0L
257 3 8 AwEAAchb6LrHCdz9Yo55u1id/b+X1FqVDF66xNrhbgnV+vtpiq7pDsT8
KgzSijNuGs4GLGsMhVE/9H0wOtmVRUQqQ50PHZsiqg8gqB6i5zLortjp
aCLZS7Oke1xP+6LzVRgT4c8NXlRBg3m/gDjzijBD0BMACjVGZNv0gReA
g2OCr9dBrweE6DnM6twG7D2NyuGjpWzKeJfNd3Hek39V9NGHuABGkmYG
16XCao37IWcP/s/57HuBom5U3SNfuzfVDppokatuL6dXp9ktuuVXsESc
/rUERU/GPleuNfRuPHFr3URmrRud4DYbRWNVIsxqkSLrCldDjP1Hicf3 S8NgVHJTSRE=
01.07.15 16:34, Stephane Bortzmeyer пишет:
> On Wed, Jul 01, 2015 at 09:53:37AM +0000,
> Shane Kerr <shane at biigroup.cn> wrote
> a message of 32 lines which said:
>
>> I see that my Unbound resolver seems to have picked up the new KSK:
> Not mine:
>
> ; autotrust trust anchor file
> ;;id: . 1
> ;;last_queried: 1435734493 ;;Wed Jul 1 07:08:13 2015
> ;;last_success: 1435734493 ;;Wed Jul 1 07:08:13 2015
> ;;next_probe_time: 1435773666 ;;Wed Jul 1 18:01:06 2015
> ;;query_failed: 0
> ;;query_interval: 43200
> ;;retry_time: 8640
> . 85667 IN DNSKEY 257 3 8 AwEAAchb6LrHCdz9Yo55u1id/b+X1FqVDF66xNrhbgnV+vtpiq7pDsT8KgzSijNuGs4GLGsMhVE/9H0wOtmVRUQqQ50P
> HZsiqg8gqB6i5zLortjpaCLZS7Oke1xP+6LzVRgT4c8NXlRBg3m/gDjzijBD0BMACjVGZNv0gReAg2OCr9dBrweE6DnM6twG7D2NyuGjpWzKeJfNd3Hek39V9NGHuABGkmYG
> 16XCao37IWcP/s/57HuBom5U3SNfuzfVDppokatuL6dXp9ktuuVXsESc/rUERU/GPleuNfRuPHFr3URmrRud4DYbRWNVIsxqkSLrCldDjP1Hicf3S8NgVHJTSRE= ;{id =
> 24439 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1434990786 ;;Mon Jun 22 16:33:06 2015
> _______________________________________________
> discuss mailing list
> discuss at lists.yeti-dns.org
> http://lists.yeti-dns.org/mailman/listinfo/discuss
More information about the discuss
mailing list