Can't get rid of key

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Can't get rid of key

Alan Batie
I'm trying to clear a zone's dnssec records, or at least some of them -
I removed the key files from the keys directory and removed the zone.*
files (signed, jbk, jnl, etc) and restarted named.  I did a recursive
grep for the key id in question in /var/named and it's nowhere to be
found, yet, after restarting named, the dnskey record returns, and the
other records have corresponding rrsig records.  Where else could the
key be coming from?  Thanks...


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Can't get rid of key

Mark Andrews
So what do you still have related to the zone?  Have you examined the
contents of those files?  Some of them may be binary so grep won’t work.
Are you actually looking in the right place.  Are you running chroot?
Did you really stop named?  How is the zone defined in named.conf?

Mark

> On 11 Mar 2020, at 11:14, Alan Batie <[hidden email]> wrote:
>
> I'm trying to clear a zone's dnssec records, or at least some of them -
> I removed the key files from the keys directory and removed the zone.*
> files (signed, jbk, jnl, etc) and restarted named.  I did a recursive
> grep for the key id in question in /var/named and it's nowhere to be
> found, yet, after restarting named, the dnskey record returns, and the
> other records have corresponding rrsig records.  Where else could the
> key be coming from?  Thanks...
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: [hidden email]

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Can't get rid of key

Alan Batie
On 3/10/20 5:51 PM, Mark Andrews wrote:
> So what do you still have related to the zone?  Have you examined the
> contents of those files?  Some of them may be binary so grep won’t work.
> Are you actually looking in the right place.  Are you running chroot?
> Did you really stop named?  How is the zone defined in named.conf?

Not chrooted; a dedicated vm; nothing references oldkeys - it didn't
even exist until I ran into this problem (nothing references those
subdirs either, but they were in the keys dir)

<ns6.peak.org> [283] # pwd
/var/named
<ns6.peak.org> [284] # find . -name cascocom.com
./slaves/cascocom.com
<ns6.peak.org> [285] # find . -name *cascocom.com*
./oldkeys/sha1/Kcascocom.com.+005+09675.key
./oldkeys/sha1/Kcascocom.com.+005+09675.private
./oldkeys/new/Kcascocom.com.+008+65509.private
./oldkeys/new/Kcascocom.com.+008+65509.key
./oldkeys/new/Kcascocom.com.+008+20544.private
./oldkeys/new/Kcascocom.com.+008+20544.key
./oldkeys/old/Kcascocom.com.+008+28998.key
./oldkeys/old/Kcascocom.com.+008+28998.private
./oldkeys/old/Kcascocom.com.+008+30841.key
./oldkeys/old/Kcascocom.com.+008+30841.private
./slaves/cascocom.com.signed
./slaves/cascocom.com
./slaves/cascocom.com.jbk
<ns6.peak.org> [286] # rm slaves/cascocom.com.*
<ns6.peak.org> [287] # ls slaves/cascocom*
slaves/cascocom.com
<ns6.peak.org> [288] # systemctl stop named
<ns6.peak.org> [289] # ps ax | grep named
15709 pts/0    S+     0:00 grep --color=auto named
<ns6.peak.org> [290] # systemctl start named
<ns6.peak.org> [291] # ls slaves/cascocom*
slaves/cascocom.com  slaves/cascocom.com.jbk  slaves/cascocom.com.signed
<ns6.peak.org> [292] # named-compilezone -f raw -F text -o -
cascocom.com slaves/cascocom.com.signed | head
zone cascocom.com/IN: loaded serial 2019125927 (DNSSEC signed)
OK
cascocom.com.      3600 IN SOA ns1.peak.org. hostmaster.peak.org.
2019125927 900 900 604800 3600
cascocom.com.      3600 IN RRSIG SOA 8 2 3600 20200410002937
20200310232937 28998 cascocom.com.
RTQDpWGWipSbvKpqCdqa1WCSikgpc2rXqBMxOY3Hi7cIseem7Uj1lL4K
XMu/FoXBJ2sz5wsBHb9zE0O777lJMlHszoP/0o1s22mB+spygR+zW/n4
+rWt/jvWHBQWhHF1Q3K/LDz0KeaV77xSkBqPOgABbKkeRa4QxCqPVk+t jDk=
; resign=20200410002937
cascocom.com.      3600 IN NS ns1.peak.org.
cascocom.com.      3600 IN NS ns2.peak.org.
cascocom.com.      3600 IN RRSIG NS 5 2 3600 20200406201546
20200307200000 9675 cascocom.com.
XDSu5nNT3aXHUVfuEYa5ALokVZsXbXcKkAxjfoxXpdMTRi0YcxZ3za+1
pTBzu1DcLyC1c8h3W6GI3fHCTfrahQRR1kJ1rKKoS+6xfGqwqsR+qQmZ
aylUrUFt+VUePeOsVS0MkYorK32GNIc3yYdPItvZcT4DAGp2s+3UsqsU dL4=
cascocom.com.      3600 IN RRSIG NS 8 2 3600 20200409003642
20200310001739 28998 cascocom.com.
tfzUe76szQARBfTIYzfPFf8X8jPBd/6+Xe/h+y85OYC6TbcpsJLEDQRI
D9SnpTv8odEmzm+Tj+0jrR5+MXPNrw/Mn2u3tTZGzwlBNROpptdGBdGB
OoclVgDl0HXOpuKD1GfjO1o5hdoGjMvUNtV0Eb5UNuSEq8qq5KOgMtyR jRI=
; resign=20200406201546
cascocom.com.      3600 IN A 207.55.17.191
cascocom.com.      3600 IN RRSIG A 5 2 3600 20200406201546
20200307200000 9675 cascocom.com.
Qv0dFWG7AW/zjXz+rFh9O+o98KDP3LvuLfXM10/zZomRuz/s1MZ591OO
c1Py7/GEK7r6xIwl9PUgd5/4alZWYm5sl/kjqpTHkbADsp04LqzQcRwY
EMdrGuRuRe9eAJhDcBD306s0xoeceyNRKPZGbPSZKiCMQxjdhteL8toL rj0=

zone "cascocom.com" {
        type slave;
        file "/var/named/slaves/cascocom.com";
        masters {
                2607:f678::52;
        };

        key-directory "/var/named/keys";
        auto-dnssec maintain;
        inline-signing yes;
};




_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Can't get rid of key

Mark Andrews
and the content of /var/named/keys are?

> On 11 Mar 2020, at 12:06, Alan Batie <[hidden email]> wrote:
>
> On 3/10/20 5:51 PM, Mark Andrews wrote:
>> So what do you still have related to the zone?  Have you examined the
>> contents of those files?  Some of them may be binary so grep won’t work.
>> Are you actually looking in the right place.  Are you running chroot?
>> Did you really stop named?  How is the zone defined in named.conf?
>
> Not chrooted; a dedicated vm; nothing references oldkeys - it didn't
> even exist until I ran into this problem (nothing references those
> subdirs either, but they were in the keys dir)
>
> <ns6.peak.org> [283] # pwd
> /var/named
> <ns6.peak.org> [284] # find . -name cascocom.com
> ./slaves/cascocom.com
> <ns6.peak.org> [285] # find . -name *cascocom.com*
> ./oldkeys/sha1/Kcascocom.com.+005+09675.key
> ./oldkeys/sha1/Kcascocom.com.+005+09675.private
> ./oldkeys/new/Kcascocom.com.+008+65509.private
> ./oldkeys/new/Kcascocom.com.+008+65509.key
> ./oldkeys/new/Kcascocom.com.+008+20544.private
> ./oldkeys/new/Kcascocom.com.+008+20544.key
> ./oldkeys/old/Kcascocom.com.+008+28998.key
> ./oldkeys/old/Kcascocom.com.+008+28998.private
> ./oldkeys/old/Kcascocom.com.+008+30841.key
> ./oldkeys/old/Kcascocom.com.+008+30841.private
> ./slaves/cascocom.com.signed
> ./slaves/cascocom.com
> ./slaves/cascocom.com.jbk
> <ns6.peak.org> [286] # rm slaves/cascocom.com.*
> <ns6.peak.org> [287] # ls slaves/cascocom*
> slaves/cascocom.com
> <ns6.peak.org> [288] # systemctl stop named
> <ns6.peak.org> [289] # ps ax | grep named
> 15709 pts/0    S+     0:00 grep --color=auto named
> <ns6.peak.org> [290] # systemctl start named
> <ns6.peak.org> [291] # ls slaves/cascocom*
> slaves/cascocom.com  slaves/cascocom.com.jbk  slaves/cascocom.com.signed
> <ns6.peak.org> [292] # named-compilezone -f raw -F text -o -
> cascocom.com slaves/cascocom.com.signed | head
> zone cascocom.com/IN: loaded serial 2019125927 (DNSSEC signed)
> OK
> cascocom.com.      3600 IN SOA ns1.peak.org. hostmaster.peak.org.
> 2019125927 900 900 604800 3600
> cascocom.com.      3600 IN RRSIG SOA 8 2 3600 20200410002937
> 20200310232937 28998 cascocom.com.
> RTQDpWGWipSbvKpqCdqa1WCSikgpc2rXqBMxOY3Hi7cIseem7Uj1lL4K
> XMu/FoXBJ2sz5wsBHb9zE0O777lJMlHszoP/0o1s22mB+spygR+zW/n4
> +rWt/jvWHBQWhHF1Q3K/LDz0KeaV77xSkBqPOgABbKkeRa4QxCqPVk+t jDk=
> ; resign=20200410002937
> cascocom.com.      3600 IN NS ns1.peak.org.
> cascocom.com.      3600 IN NS ns2.peak.org.
> cascocom.com.      3600 IN RRSIG NS 5 2 3600 20200406201546
> 20200307200000 9675 cascocom.com.
> XDSu5nNT3aXHUVfuEYa5ALokVZsXbXcKkAxjfoxXpdMTRi0YcxZ3za+1
> pTBzu1DcLyC1c8h3W6GI3fHCTfrahQRR1kJ1rKKoS+6xfGqwqsR+qQmZ
> aylUrUFt+VUePeOsVS0MkYorK32GNIc3yYdPItvZcT4DAGp2s+3UsqsU dL4=
> cascocom.com.      3600 IN RRSIG NS 8 2 3600 20200409003642
> 20200310001739 28998 cascocom.com.
> tfzUe76szQARBfTIYzfPFf8X8jPBd/6+Xe/h+y85OYC6TbcpsJLEDQRI
> D9SnpTv8odEmzm+Tj+0jrR5+MXPNrw/Mn2u3tTZGzwlBNROpptdGBdGB
> OoclVgDl0HXOpuKD1GfjO1o5hdoGjMvUNtV0Eb5UNuSEq8qq5KOgMtyR jRI=
> ; resign=20200406201546
> cascocom.com.      3600 IN A 207.55.17.191
> cascocom.com.      3600 IN RRSIG A 5 2 3600 20200406201546
> 20200307200000 9675 cascocom.com.
> Qv0dFWG7AW/zjXz+rFh9O+o98KDP3LvuLfXM10/zZomRuz/s1MZ591OO
> c1Py7/GEK7r6xIwl9PUgd5/4alZWYm5sl/kjqpTHkbADsp04LqzQcRwY
> EMdrGuRuRe9eAJhDcBD306s0xoeceyNRKPZGbPSZKiCMQxjdhteL8toL rj0=
>
> zone "cascocom.com" {
>        type slave;
>        file "/var/named/slaves/cascocom.com";
>        masters {
>                2607:f678::52;
>        };
>
>        key-directory "/var/named/keys";
>        auto-dnssec maintain;
>        inline-signing yes;
> };
>
>
>

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: [hidden email]

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Can't get rid of key

Alan Batie
On 3/10/20 6:31 PM, Mark Andrews wrote:
> and the content of /var/named/keys are?

>> <ns6.peak.org> [285] # find . -name *cascocom.com*
>> ./oldkeys/sha1/Kcascocom.com.+005+09675.key
>> ./oldkeys/sha1/Kcascocom.com.+005+09675.private
>> ./oldkeys/new/Kcascocom.com.+008+65509.private
>> ./oldkeys/new/Kcascocom.com.+008+65509.key
>> ./oldkeys/new/Kcascocom.com.+008+20544.private
>> ./oldkeys/new/Kcascocom.com.+008+20544.key
>> ./oldkeys/old/Kcascocom.com.+008+28998.key
>> ./oldkeys/old/Kcascocom.com.+008+28998.private
>> ./oldkeys/old/Kcascocom.com.+008+30841.key
>> ./oldkeys/old/Kcascocom.com.+008+30841.private
>> ./slaves/cascocom.com.signed
>> ./slaves/cascocom.com
>> ./slaves/cascocom.com.jbk
Nothing relating to cascocom.com


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

smime.p7s (5K) Download Attachment