dnssec-keygen getting dates wrong

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

dnssec-keygen getting dates wrong

Mark Elkins

Running BIND.. 9.16.6 on a Gentoo machine - so BIND is kept very much up to date.

dnssec-keygen - Version: 9.16.6


I create DNSSEC Keys in a manual process and in order to see when a Key was created (so I can rotate them - etc..) I look at the Creation date inside the 'key' file....

# dnssec-keygen -a RSASHA256 fubar.com

# cat Kfubar.com.+008+21010.key
; This is a zone-signing key, keyid 21010, for fubar.com.
; Created: 20200830105653 (Sun Aug 30 12:56:53 202)
; Publish: 20200830105653 (Sun Aug 30 12:56:53 202)
; Activate: 20200830105653 (Sun Aug 30 12:56:53 202)

Can anyone spot an issue? Look carefully at the creation date, the year in particular!

--

Mark James ELKINS  -  Posix Systems - (South) Africa
[hidden email]       Tel: <a href="tel:+27826010496">+27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

Posix
          SystemsVCARD for
          MJ Elkins


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: dnssec-keygen getting dates wrong

Marcel de Riedmatten
Le dimanche 30 août 2020 à 12:58 +0200, Mark Elkins a écrit :

> Running BIND.. 9.16.6 on a Gentoo machine - so BIND is kept very much
> up to date.
> dnssec-keygen - Version: 9.16.6
>
> I create DNSSEC Keys in a manual process and in order to see when a
> Key was created (so I can rotate them - etc..) I look at the Creation
> date inside the 'key' file....
> # dnssec-keygen -a RSASHA256 fubar.com
> # cat Kfubar.com.+008+21010.key 
> ; This is a zone-signing key, keyid 21010, for fubar.com.
> ; Created: 20200830105653 (Sun Aug 30 12:56:53 202)
> ; Publish: 20200830105653 (Sun Aug 30 12:56:53 202)
> ; Activate: 20200830105653 (Sun Aug 30 12:56:53 202)
>
> Can anyone spot an issue? Look carefully at the creation date, the
> year in particular!


Hi

it looks like a pretty printing issue.

# dnssec-settime -p all Kfubar.com.+008+21010.key

should give you the correct timestamp.

-- 
Marcel de Riedmatten

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: dnssec-keygen getting dates wrong

Mark Andrews
This is fixed in

5486.   [func]          Add 'rndc dnssec -checkds' command to tell named
                        that the DS record has been published in the parent.
                        [GL #1613]

Which is in the next maintenance release.

Mark

> On 31 Aug 2020, at 05:03, Marcel de Riedmatten <[hidden email]> wrote:
>
> Le dimanche 30 août 2020 à 12:58 +0200, Mark Elkins a écrit :
>> Running BIND.. 9.16.6 on a Gentoo machine - so BIND is kept very much
>> up to date.
>> dnssec-keygen - Version: 9.16.6
>>
>> I create DNSSEC Keys in a manual process and in order to see when a
>> Key was created (so I can rotate them - etc..) I look at the Creation
>> date inside the 'key' file....
>> # dnssec-keygen -a RSASHA256 fubar.com
>> # cat Kfubar.com.+008+21010.key
>> ; This is a zone-signing key, keyid 21010, for fubar.com.
>> ; Created: 20200830105653 (Sun Aug 30 12:56:53 202)
>> ; Publish: 20200830105653 (Sun Aug 30 12:56:53 202)
>> ; Activate: 20200830105653 (Sun Aug 30 12:56:53 202)
>>
>> Can anyone spot an issue? Look carefully at the creation date, the
>> year in particular!
>
>
> Hi
>
> it looks like a pretty printing issue.
>
> # dnssec-settime -p all Kfubar.com.+008+21010.key
>
> should give you the correct timestamp.
>
> --
> Marcel de Riedmatten
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: [hidden email]

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users