From ff283cc0bcbca63c2616ae17b8479074f54bc65b Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Fri, 21 Nov 2014 08:47:06 -0800 Subject: [PATCH] [master] added omitted examples directory --- .../dyn.example.net/zktlog-dyn.example.net. | 161 ++++ .../flat/example.net/zktlog-example.net. | 687 ++++++++++++++++++ .../sub.example.net/zktlog-sub.example.net. | 218 ++++++ contrib/zkt-1.1.3/examples/flat/zkt-ls | 1 + contrib/zkt-1.1.3/examples/flat/zkt-signer | 1 + .../zkt-1.1.3/examples/hierarchical/zkt-ls | 1 + .../examples/hierarchical/zkt-signer | 1 + .../examples/views/dnssec-extern.conf | 39 + .../examples/views/dnssec-intern.conf | 39 + .../examples/views/dnssec-signer-extern | 7 + .../examples/views/dnssec-signer-intern | 7 + .../examples/views/dnssec-zkt-extern | 7 + .../examples/views/dnssec-zkt-intern | 7 + .../examples/views/extern/example.net/zone.db | 33 + .../views/extern/example.net/zone.db.signed | 0 .../examples/views/extern/zkt-ext.log | 51 ++ .../examples/views/intern/example.net/zone.db | 33 + .../views/intern/example.net/zone.db.signed | 0 .../examples/views/intern/zkt-int.log | 192 +++++ contrib/zkt-1.1.3/examples/views/named.conf | 97 +++ contrib/zkt-1.1.3/examples/views/named.log | 17 + contrib/zkt-1.1.3/examples/views/root.hint | 45 ++ contrib/zkt-1.1.3/examples/views/viewtest.sh | 20 + 23 files changed, 1664 insertions(+) create mode 100644 contrib/zkt-1.1.3/examples/flat/dyn.example.net/zktlog-dyn.example.net. create mode 100644 contrib/zkt-1.1.3/examples/flat/example.net/zktlog-example.net. create mode 100644 contrib/zkt-1.1.3/examples/flat/sub.example.net/zktlog-sub.example.net. create mode 120000 contrib/zkt-1.1.3/examples/flat/zkt-ls create mode 120000 contrib/zkt-1.1.3/examples/flat/zkt-signer create mode 120000 contrib/zkt-1.1.3/examples/hierarchical/zkt-ls create mode 120000 contrib/zkt-1.1.3/examples/hierarchical/zkt-signer create mode 100644 contrib/zkt-1.1.3/examples/views/dnssec-extern.conf create mode 100644 contrib/zkt-1.1.3/examples/views/dnssec-intern.conf create mode 100644 contrib/zkt-1.1.3/examples/views/dnssec-signer-extern create mode 100644 contrib/zkt-1.1.3/examples/views/dnssec-signer-intern create mode 100644 contrib/zkt-1.1.3/examples/views/dnssec-zkt-extern create mode 100644 contrib/zkt-1.1.3/examples/views/dnssec-zkt-intern create mode 100644 contrib/zkt-1.1.3/examples/views/extern/example.net/zone.db create mode 100644 contrib/zkt-1.1.3/examples/views/extern/example.net/zone.db.signed create mode 100644 contrib/zkt-1.1.3/examples/views/extern/zkt-ext.log create mode 100644 contrib/zkt-1.1.3/examples/views/intern/example.net/zone.db create mode 100644 contrib/zkt-1.1.3/examples/views/intern/example.net/zone.db.signed create mode 100644 contrib/zkt-1.1.3/examples/views/intern/zkt-int.log create mode 100644 contrib/zkt-1.1.3/examples/views/named.conf create mode 100644 contrib/zkt-1.1.3/examples/views/named.log create mode 100644 contrib/zkt-1.1.3/examples/views/root.hint create mode 100644 contrib/zkt-1.1.3/examples/views/viewtest.sh diff --git a/contrib/zkt-1.1.3/examples/flat/dyn.example.net/zktlog-dyn.example.net. b/contrib/zkt-1.1.3/examples/flat/dyn.example.net/zktlog-dyn.example.net. new file mode 100644 index 0000000000..24643defaf --- /dev/null +++ b/contrib/zkt-1.1.3/examples/flat/dyn.example.net/zktlog-dyn.example.net. @@ -0,0 +1,161 @@ +2010-02-21 19:43:15.018: debug: Check RFC5011 status +2010-02-21 19:43:15.018: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 19:43:15.018: debug: Check KSK status +2010-02-21 19:43:15.018: debug: No active KSK found: generate new one +2010-02-21 19:43:15.330: info: "dyn.example.net.": generated new KSK 52935 +2010-02-21 19:43:15.330: debug: Check ZSK status +2010-02-21 19:43:15.330: debug: No active ZSK found: generate new one +2010-02-21 19:43:15.368: info: "dyn.example.net.": generated new ZSK 30323 +2010-02-21 19:43:15.368: debug: Re-signing necessary: Modfied zone key set +2010-02-21 19:43:15.368: notice: "dyn.example.net.": re-signing triggered: Modfied zone key set +2010-02-21 19:43:15.368: debug: Writing key file "./dyn.example.net/dnskey.db" +2010-02-21 19:43:15.368: debug: Signing zone "dyn.example.net." +2010-02-21 19:43:15.368: notice: "dyn.example.net.": freeze dynamic zone +2010-02-21 19:43:15.368: debug: freeze dynamic zone "dyn.example.net." +2010-02-21 19:43:15.368: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net." +2010-02-21 19:43:15.374: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db +2010-02-21 19:43:15.374: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1" +2010-02-21 19:43:15.382: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: Zone contains NSEC records. Use -u to update to NSEC3." +2010-02-21 19:43:15.382: error: "dyn.example.net.": signing failed! +2010-02-21 19:43:15.382: notice: "dyn.example.net.": thaw dynamic zone +2010-02-21 19:43:15.382: debug: thaw dynamic zone "dyn.example.net." +2010-02-21 19:43:15.382: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net." +2010-02-21 19:45:36.415: debug: Check RFC5011 status +2010-02-21 19:45:36.416: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 19:45:36.416: debug: Check KSK status +2010-02-21 19:45:36.416: debug: Check ZSK status +2010-02-21 19:45:36.416: debug: Re-signing not necessary! +2010-02-21 19:45:36.416: debug: Check if there is a parent file to copy +2010-02-21 19:45:41.448: debug: Check RFC5011 status +2010-02-21 19:45:41.448: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 19:45:41.448: debug: Check KSK status +2010-02-21 19:45:41.448: debug: Check ZSK status +2010-02-21 19:45:41.448: debug: Re-signing necessary: Option -f +2010-02-21 19:45:41.448: notice: "dyn.example.net.": re-signing triggered: Option -f +2010-02-21 19:45:41.448: debug: Writing key file "./dyn.example.net/dnskey.db" +2010-02-21 19:45:41.448: debug: Signing zone "dyn.example.net." +2010-02-21 19:45:41.448: notice: "dyn.example.net.": freeze dynamic zone +2010-02-21 19:45:41.448: debug: freeze dynamic zone "dyn.example.net." +2010-02-21 19:45:41.448: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net." +2010-02-21 19:45:41.457: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db +2010-02-21 19:45:41.458: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1" +2010-02-21 19:45:41.473: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: NSEC3 generation requested with NSEC only DNSKEY" +2010-02-21 19:45:41.473: error: "dyn.example.net.": signing failed! +2010-02-21 19:45:41.473: notice: "dyn.example.net.": thaw dynamic zone +2010-02-21 19:45:41.473: debug: thaw dynamic zone "dyn.example.net." +2010-02-21 19:45:41.473: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net." +2010-02-21 19:47:06.899: debug: Check RFC5011 status +2010-02-21 19:47:06.899: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 19:47:06.899: debug: Check KSK status +2010-02-21 19:47:06.899: debug: Check ZSK status +2010-02-21 19:47:06.899: debug: Re-signing necessary: Option -f +2010-02-21 19:47:06.899: notice: "dyn.example.net.": re-signing triggered: Option -f +2010-02-21 19:47:06.899: debug: Writing key file "./dyn.example.net/dnskey.db" +2010-02-21 19:47:06.900: debug: Signing zone "dyn.example.net." +2010-02-21 19:47:06.900: notice: "dyn.example.net.": freeze dynamic zone +2010-02-21 19:47:06.900: debug: freeze dynamic zone "dyn.example.net." +2010-02-21 19:47:06.900: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net." +2010-02-21 19:47:06.910: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db +2010-02-21 19:47:06.910: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1" +2010-02-21 19:47:06.926: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: NSEC3 iterations too big for weakest DNSKEY strength. Maximum iterations allowed 0." +2010-02-21 19:47:06.926: error: "dyn.example.net.": signing failed! +2010-02-21 19:47:06.926: notice: "dyn.example.net.": thaw dynamic zone +2010-02-21 19:47:06.926: debug: thaw dynamic zone "dyn.example.net." +2010-02-21 19:47:06.926: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net." +2010-02-21 19:58:40.972: debug: Check RFC5011 status +2010-02-21 19:58:40.972: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 19:58:40.972: debug: Check KSK status +2010-02-21 19:58:40.972: debug: Check ZSK status +2010-02-21 19:58:40.973: debug: Re-signing necessary: Option -f +2010-02-21 19:58:40.973: notice: "dyn.example.net.": re-signing triggered: Option -f +2010-02-21 19:58:40.973: debug: Writing key file "./dyn.example.net/dnskey.db" +2010-02-21 19:58:40.973: debug: Signing zone "dyn.example.net." +2010-02-21 19:58:40.973: notice: "dyn.example.net.": freeze dynamic zone +2010-02-21 19:58:40.973: debug: freeze dynamic zone "dyn.example.net." +2010-02-21 19:58:40.973: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net." +2010-02-21 19:58:40.982: debug: Dynamic Zone signing: zone file manually edited: Use it as new input file +2010-02-21 19:58:40.982: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db +2010-02-21 19:58:40.983: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1" +2010-02-21 19:58:40.999: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: NSEC3 iterations too big for weakest DNSKEY strength. Maximum iterations allowed 0." +2010-02-21 19:58:40.999: error: "dyn.example.net.": signing failed! +2010-02-21 19:58:40.999: notice: "dyn.example.net.": thaw dynamic zone +2010-02-21 19:58:40.999: debug: thaw dynamic zone "dyn.example.net." +2010-02-21 19:58:40.999: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net." +2010-02-21 20:00:48.833: debug: Check RFC5011 status +2010-02-21 20:00:48.833: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 20:00:48.833: debug: Check KSK status +2010-02-21 20:00:48.833: debug: Check ZSK status +2010-02-21 20:00:48.833: debug: Re-signing necessary: Option -f +2010-02-21 20:00:48.833: notice: "dyn.example.net.": re-signing triggered: Option -f +2010-02-21 20:00:48.833: debug: Writing key file "./dyn.example.net/dnskey.db" +2010-02-21 20:00:48.834: debug: Signing zone "dyn.example.net." +2010-02-21 20:00:48.834: notice: "dyn.example.net.": freeze dynamic zone +2010-02-21 20:00:48.834: debug: freeze dynamic zone "dyn.example.net." +2010-02-21 20:00:48.834: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net." +2010-02-21 20:00:48.844: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db +2010-02-21 20:00:48.844: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1" +2010-02-21 20:00:48.878: debug: Cmd dnssec-signzone return: "zone.db.dsigned" +2010-02-21 20:00:48.878: notice: "dyn.example.net.": thaw dynamic zone +2010-02-21 20:00:48.878: debug: thaw dynamic zone "dyn.example.net." +2010-02-21 20:00:48.878: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net." +2010-02-21 20:00:48.884: debug: Signing completed after 0s. +2010-02-21 20:01:11.175: debug: Check RFC5011 status +2010-02-21 20:01:11.175: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 20:01:11.175: debug: Check KSK status +2010-02-21 20:01:11.175: debug: Check ZSK status +2010-02-21 20:01:11.176: debug: Re-signing necessary: Option -f +2010-02-21 20:01:11.176: notice: "dyn.example.net.": re-signing triggered: Option -f +2010-02-21 20:01:11.176: debug: Writing key file "./dyn.example.net/dnskey.db" +2010-02-21 20:01:11.176: debug: Signing zone "dyn.example.net." +2010-02-21 20:01:11.176: notice: "dyn.example.net.": freeze dynamic zone +2010-02-21 20:01:11.176: debug: freeze dynamic zone "dyn.example.net." +2010-02-21 20:01:11.176: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net." +2010-02-21 20:01:11.181: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db +2010-02-21 20:01:11.181: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1" +2010-02-21 20:01:11.202: debug: Cmd dnssec-signzone return: "zone.db.dsigned" +2010-02-21 20:01:11.202: notice: "dyn.example.net.": thaw dynamic zone +2010-02-21 20:01:11.203: debug: thaw dynamic zone "dyn.example.net." +2010-02-21 20:01:11.203: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net." +2010-02-21 20:01:11.208: debug: Signing completed after 0s. +2010-02-21 20:01:17.175: debug: Check RFC5011 status +2010-02-21 20:01:17.175: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 20:01:17.175: debug: Check KSK status +2010-02-21 20:01:17.175: debug: Check ZSK status +2010-02-21 20:01:17.176: debug: Re-signing not necessary! +2010-02-21 20:01:17.176: debug: Check if there is a parent file to copy +2010-02-25 23:42:29.326: debug: Check RFC5011 status +2010-02-25 23:42:29.326: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-25 23:42:29.326: debug: Check KSK status +2010-02-25 23:42:29.326: debug: Check ZSK status +2010-02-25 23:42:29.326: debug: Re-signing necessary: re-signing interval (2d) reached +2010-02-25 23:42:29.326: notice: "dyn.example.net.": re-signing triggered: re-signing interval (2d) reached +2010-02-25 23:42:29.326: debug: Writing key file "./dyn.example.net/dnskey.db" +2010-02-25 23:42:29.327: debug: Signing zone "dyn.example.net." +2010-02-25 23:42:29.327: notice: "dyn.example.net.": freeze dynamic zone +2010-02-25 23:42:29.327: debug: freeze dynamic zone "dyn.example.net." +2010-02-25 23:42:29.327: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net." +2010-02-25 23:42:29.388: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db +2010-02-25 23:42:29.425: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1" +2010-02-25 23:42:29.471: debug: Cmd dnssec-signzone return: "zone.db.dsigned" +2010-02-25 23:42:29.471: notice: "dyn.example.net.": thaw dynamic zone +2010-02-25 23:42:29.471: debug: thaw dynamic zone "dyn.example.net." +2010-02-25 23:42:29.471: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net." +2010-02-25 23:42:29.486: debug: Signing completed after 0s. +2010-03-02 10:59:46.770: debug: Check RFC5011 status +2010-03-02 10:59:46.770: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-03-02 10:59:46.770: debug: Check KSK status +2010-03-02 10:59:46.770: debug: Check ZSK status +2010-03-02 10:59:46.770: debug: Re-signing necessary: re-signing interval (2d) reached +2010-03-02 10:59:46.770: notice: "dyn.example.net.": re-signing triggered: re-signing interval (2d) reached +2010-03-02 10:59:46.770: debug: Writing key file "./dyn.example.net/dnskey.db" +2010-03-02 10:59:46.770: debug: Signing zone "dyn.example.net." +2010-03-02 10:59:46.770: notice: "dyn.example.net.": freeze dynamic zone +2010-03-02 10:59:46.770: debug: freeze dynamic zone "dyn.example.net." +2010-03-02 10:59:46.770: debug: Run cmd "/usr/local/sbin/rndc freeze dyn.example.net." +2010-03-02 10:59:46.852: debug: Dynamic Zone signing: copy old signed zone file ./dyn.example.net/zone.db.dsigned to new input file ./dyn.example.net/zone.db +2010-03-02 10:59:46.875: debug: Run cmd "cd ./dyn.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 76931F -C -g -p -d ../keysets -o dyn.example.net. -e +518400 -N increment -f zone.db.dsigned zone.db K*.private 2>&1" +2010-03-02 10:59:46.950: debug: Cmd dnssec-signzone return: "zone.db.dsigned" +2010-03-02 10:59:46.950: notice: "dyn.example.net.": thaw dynamic zone +2010-03-02 10:59:46.950: debug: thaw dynamic zone "dyn.example.net." +2010-03-02 10:59:46.950: debug: Run cmd "/usr/local/sbin/rndc thaw dyn.example.net." +2010-03-02 10:59:46.964: debug: Signing completed after 0s. diff --git a/contrib/zkt-1.1.3/examples/flat/example.net/zktlog-example.net. b/contrib/zkt-1.1.3/examples/flat/example.net/zktlog-example.net. new file mode 100644 index 0000000000..cc04a73425 --- /dev/null +++ b/contrib/zkt-1.1.3/examples/flat/example.net/zktlog-example.net. @@ -0,0 +1,687 @@ +2010-02-06 00:26:54.533: debug: Check RFC5011 status +2010-02-06 00:26:54.533: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-06 00:26:54.533: debug: Check KSK status +2010-02-06 00:26:54.533: debug: Check ZSK status +2010-02-06 00:26:54.533: debug: Re-signing not necessary! +2010-02-06 00:26:54.533: debug: Check if there is a parent file to copy +2010-02-06 00:29:31.291: debug: Check RFC5011 status +2010-02-06 00:29:31.291: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-06 00:29:31.291: debug: Check KSK status +2010-02-06 00:29:31.292: debug: Check ZSK status +2010-02-06 00:29:31.292: debug: Re-signing not necessary! +2010-02-06 00:29:31.292: debug: Check if there is a parent file to copy +2010-02-06 00:40:35.043: debug: Check RFC5011 status +2010-02-06 00:40:35.043: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-06 00:40:35.043: debug: Check KSK status +2010-02-06 00:40:35.043: debug: Check ZSK status +2010-02-06 00:40:35.043: debug: Re-signing not necessary! +2010-02-06 00:40:35.043: debug: Check if there is a parent file to copy +2010-02-06 00:52:55.403: debug: Check RFC5011 status +2010-02-06 00:52:55.403: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-06 00:52:55.403: debug: Check KSK status +2010-02-06 00:52:55.403: debug: Check ZSK status +2010-02-06 00:52:55.403: debug: Re-signing not necessary! +2010-02-06 00:52:55.403: debug: Check if there is a parent file to copy +2010-02-07 13:53:48.304: debug: Check RFC5011 status +2010-02-07 13:53:48.304: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-07 13:53:48.304: debug: Check KSK status +2010-02-07 13:53:48.304: debug: Check ZSK status +2010-02-07 13:53:48.304: debug: Re-signing not necessary! +2010-02-07 13:53:48.304: debug: Check if there is a parent file to copy +2010-02-07 13:54:03.466: debug: Check RFC5011 status +2010-02-07 13:54:03.466: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-07 13:54:03.466: debug: Check KSK status +2010-02-07 13:54:03.466: debug: Check ZSK status +2010-02-07 13:54:03.466: debug: Re-signing not necessary! +2010-02-07 13:54:03.466: debug: Check if there is a parent file to copy +2010-02-07 13:54:08.019: debug: Check RFC5011 status +2010-02-07 13:54:08.019: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-07 13:54:08.020: debug: Check KSK status +2010-02-07 13:54:08.020: debug: Check ZSK status +2010-02-07 13:54:08.020: debug: Re-signing necessary: Option -f +2010-02-07 13:54:08.020: notice: "example.net.": re-signing triggered: Option -f +2010-02-07 13:54:08.020: debug: Writing key file "./example.net/dnskey.db" +2010-02-07 13:54:08.020: debug: Incrementing serial number in file "./example.net/zone.db" +2010-02-07 13:54:08.020: debug: Signing zone "example.net." +2010-02-07 13:54:08.021: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2010-02-07 13:54:08.125: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-02-07 13:54:08.125: debug: Signing completed after 0s. +2010-02-07 13:54:08.125: notice: "example.net.": distribution triggered +2010-02-07 13:54:08.125: debug: Distribute zone "example.net." +2010-02-07 13:54:08.125: debug: Run cmd "./dist.sh distribute example.net. ./example.net/zone.db.signed " +2010-02-07 13:54:08.129: debug: ./dist.sh distribute return: "scp ./example.net/zone.db.signed localhost:/var/named/example.net./" +2010-02-07 13:54:08.129: notice: "example.net.": reload triggered +2010-02-07 13:54:08.129: debug: Reload zone "example.net." +2010-02-07 13:54:08.129: debug: Run cmd "./dist.sh reload example.net. ./example.net/zone.db.signed " +2010-02-07 13:54:08.139: debug: ./dist.sh reload return: "rndc reload example.net. " +2010-02-07 14:06:27.670: debug: Check RFC5011 status +2010-02-07 14:06:27.670: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-07 14:06:27.670: debug: Check KSK status +2010-02-07 14:06:27.670: debug: Check ZSK status +2010-02-07 14:06:27.670: debug: Re-signing not necessary! +2010-02-07 14:06:27.671: debug: Check if there is a parent file to copy +2010-02-07 14:06:33.753: debug: Check RFC5011 status +2010-02-07 14:06:33.753: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-07 14:06:33.753: debug: Check KSK status +2010-02-07 14:06:33.753: debug: Check ZSK status +2010-02-07 14:06:33.753: debug: Re-signing necessary: Option -f +2010-02-07 14:06:33.753: notice: "example.net.": re-signing triggered: Option -f +2010-02-07 14:06:33.753: debug: Writing key file "./example.net/dnskey.db" +2010-02-07 14:06:33.754: debug: Incrementing serial number in file "./example.net/zone.db" +2010-02-07 14:06:33.754: debug: Signing zone "example.net." +2010-02-07 14:06:33.754: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2010-02-07 14:06:33.790: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-02-07 14:06:33.790: debug: Signing completed after 0s. +2010-02-07 14:06:33.790: notice: "example.net.": distribution triggered +2010-02-07 14:06:33.790: debug: Distribute zone "example.net." +2010-02-07 14:06:33.790: debug: Run cmd "./dist.sh distribute example.net. ./example.net/zone.db.signed " +2010-02-07 14:06:33.794: debug: ./dist.sh distribute return: "scp ./example.net/zone.db.signed localhost:/var/named/example.net./" +2010-02-07 14:06:33.794: notice: "example.net.": reload triggered +2010-02-07 14:06:33.794: debug: Reload zone "example.net." +2010-02-07 14:06:33.794: debug: Run cmd "./dist.sh reload example.net. ./example.net/zone.db.signed " +2010-02-07 14:06:33.797: debug: ./dist.sh reload return: "rndc reload example.net. " +2010-02-21 12:50:43.587: debug: Check RFC5011 status +2010-02-21 12:50:43.587: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 12:50:43.587: debug: Check KSK status +2010-02-21 12:50:43.587: debug: Check ZSK status +2010-02-21 12:50:43.587: debug: Lifetime(1209600 +/-150 sec) of active key 33002 exceeded (2394625 sec) +2010-02-21 12:50:43.587: debug: ->depreciate it +2010-02-21 12:50:43.587: debug: ->activate published key 29240 +2010-02-21 12:50:43.587: notice: "example.net.": lifetime of zone signing key 33002 exceeded: ZSK rollover done +2010-02-21 12:50:43.587: debug: New key for publishing needed +2010-02-21 12:50:43.658: debug: ->creating new key 5525 +2010-02-21 12:50:43.658: info: "example.net.": new key 5525 generated for publishing +2010-02-21 12:50:43.658: debug: Re-signing necessary: Modfied zone key set +2010-02-21 12:50:43.658: notice: "example.net.": re-signing triggered: Modfied zone key set +2010-02-21 12:50:43.658: debug: Writing key file "./example.net/dnskey.db" +2010-02-21 12:50:43.665: debug: Incrementing serial number in file "./example.net/zone.db" +2010-02-21 12:50:43.665: debug: Signing zone "example.net." +2010-02-21 12:50:43.665: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2010-02-21 12:50:43.733: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-02-21 12:50:43.733: debug: Signing completed after 0s. +2010-02-21 12:50:51.205: debug: Check RFC5011 status +2010-02-21 12:50:51.205: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 12:50:51.205: debug: Check KSK status +2010-02-21 12:50:51.205: debug: Check ZSK status +2010-02-21 12:50:51.205: debug: Re-signing not necessary! +2010-02-21 12:50:51.205: debug: Check if there is a parent file to copy +2010-02-21 12:51:23.497: debug: Check RFC5011 status +2010-02-21 12:51:23.497: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 12:51:23.497: debug: Check KSK status +2010-02-21 12:51:23.497: debug: Check ZSK status +2010-02-21 12:51:23.497: debug: Re-signing not necessary! +2010-02-21 12:51:23.497: debug: Check if there is a parent file to copy +2010-02-21 19:16:18.594: debug: Check RFC5011 status +2010-02-21 19:16:18.594: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 19:16:18.594: debug: Check KSK status +2010-02-21 19:16:18.594: debug: Check ZSK status +2010-02-21 19:16:18.594: debug: Re-signing not necessary! +2010-02-21 19:16:18.594: debug: Check if there is a parent file to copy +2010-02-21 19:32:11.378: debug: Check RFC5011 status +2010-02-21 19:32:11.378: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 19:32:11.378: debug: Check KSK status +2010-02-21 19:32:11.378: debug: Check ZSK status +2010-02-21 19:32:11.378: debug: Re-signing not necessary! +2010-02-21 19:32:11.378: debug: Check if there is a parent file to copy +2010-02-21 19:32:15.982: debug: Check RFC5011 status +2010-02-21 19:32:15.982: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 19:32:15.982: debug: Check KSK status +2010-02-21 19:32:15.982: debug: Check ZSK status +2010-02-21 19:32:15.982: debug: Re-signing necessary: Option -f +2010-02-21 19:32:15.982: notice: "example.net.": re-signing triggered: Option -f +2010-02-21 19:32:15.982: debug: Writing key file "./example.net/dnskey.db" +2010-02-21 19:32:15.982: debug: Incrementing serial number in file "./example.net/zone.db" +2010-02-21 19:32:15.982: debug: Signing zone "example.net." +2010-02-21 19:32:15.982: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2010-02-21 19:32:16.019: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-02-21 19:32:16.019: debug: Signing completed after 1s. +2010-02-21 19:32:32.232: debug: Check RFC5011 status +2010-02-21 19:32:32.232: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-21 19:32:32.233: debug: Check KSK status +2010-02-21 19:32:32.233: debug: Check ZSK status +2010-02-21 19:32:32.233: debug: Re-signing necessary: Option -f +2010-02-21 19:32:32.233: notice: "example.net.": re-signing triggered: Option -f +2010-02-21 19:32:32.233: debug: Writing key file "./example.net/dnskey.db" +2010-02-21 19:32:32.233: debug: Incrementing serial number in file "./example.net/zone.db" +2010-02-21 19:32:32.233: debug: Signing zone "example.net." +2010-02-21 19:32:32.233: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2010-02-21 19:32:32.273: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-02-21 19:32:32.273: debug: Signing completed after 0s. +2010-02-25 00:12:27.060: debug: Check RFC5011 status +2010-02-25 00:12:27.060: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-25 00:12:27.060: debug: Check KSK status +2010-02-25 00:12:27.060: debug: Check ZSK status +2010-02-25 00:12:27.060: debug: Lifetime(29100 sec) of depreciated key 33002 exceeded (300104 sec) +2010-02-25 00:12:27.060: info: "example.net.": old ZSK 33002 removed +2010-02-25 00:12:27.081: debug: ->remove it +2010-02-25 00:12:27.082: debug: Re-signing necessary: Modfied zone key set +2010-02-25 00:12:27.082: notice: "example.net.": re-signing triggered: Modfied zone key set +2010-02-25 00:12:27.082: debug: Writing key file "./example.net/dnskey.db" +2010-02-25 00:12:27.086: debug: Incrementing serial number in file "./example.net/zone.db" +2010-02-25 00:12:27.086: debug: Signing zone "example.net." +2010-02-25 00:12:27.086: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2010-02-25 00:12:27.173: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-02-25 00:12:27.174: debug: Signing completed after 0s. +2010-02-25 23:42:21.013: debug: Check RFC5011 status +2010-02-25 23:42:21.013: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-02-25 23:42:21.013: debug: Check KSK status +2010-02-25 23:42:21.013: debug: Check ZSK status +2010-02-25 23:42:21.013: debug: Re-signing not necessary! +2010-02-25 23:42:21.013: debug: Check if there is a parent file to copy +2010-03-02 10:59:12.416: debug: Check RFC5011 status +2010-03-02 10:59:12.416: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-03-02 10:59:12.416: debug: Check KSK status +2010-03-02 10:59:12.416: debug: Check ZSK status +2010-03-02 10:59:12.416: debug: Re-signing necessary: re-signing interval (2d) reached +2010-03-02 10:59:12.416: notice: "example.net.": re-signing triggered: re-signing interval (2d) reached +2010-03-02 10:59:12.416: debug: Writing key file "./example.net/dnskey.db" +2010-03-02 10:59:12.449: debug: Incrementing serial number in file "./example.net/zone.db" +2010-03-02 10:59:12.449: debug: Signing zone "example.net." +2010-03-02 10:59:12.450: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2010-03-02 10:59:12.530: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-03-02 10:59:12.530: debug: Signing completed after 0s. +2010-03-03 23:22:00.415: debug: Check RFC5011 status +2010-03-03 23:22:00.415: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-03-03 23:22:00.415: debug: Check KSK status +2010-03-03 23:22:00.415: debug: Check ZSK status +2010-03-03 23:22:00.416: debug: Re-signing not necessary! +2010-03-03 23:22:00.416: debug: Check if there is a parent file to copy +2010-03-08 23:11:50.170: debug: Check RFC5011 status +2010-03-08 23:11:50.170: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-03-08 23:11:50.170: debug: Check KSK status +2010-03-08 23:11:50.170: debug: Check ZSK status +2010-03-08 23:11:50.171: debug: Lifetime(1209600 +/-150 sec) of active key 29240 exceeded (1333267 sec) +2010-03-08 23:11:50.171: debug: ->depreciate it +2010-03-08 23:11:50.171: debug: ->activate published key 5525 +2010-03-08 23:11:50.171: notice: "example.net.": lifetime of zone signing key 29240 exceeded: ZSK rollover done +2010-03-08 23:11:50.171: debug: New key for publishing needed +2010-03-08 23:11:50.228: debug: ->creating new key 21482 +2010-03-08 23:11:50.228: info: "example.net.": new key 21482 generated for publishing +2010-03-08 23:11:50.228: debug: Re-signing necessary: Modfied zone key set +2010-03-08 23:11:50.228: notice: "example.net.": re-signing triggered: Modfied zone key set +2010-03-08 23:11:50.228: debug: Writing key file "././example.net/dnskey.db" +2010-03-08 23:11:50.235: debug: Incrementing serial number in file "././example.net/zone.db" +2010-03-08 23:11:50.235: debug: Signing zone "example.net." +2010-03-08 23:11:50.235: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2010-03-08 23:11:50.294: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-03-08 23:11:50.294: debug: Signing completed after 0s. +2010-03-08 23:12:56.212: debug: Check RFC5011 status +2010-03-08 23:12:56.212: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-03-08 23:12:56.212: debug: Check KSK status +2010-03-08 23:12:56.212: debug: Check ZSK status +2010-03-08 23:12:56.212: debug: Re-signing necessary: Modfied zone key set +2010-03-08 23:12:56.212: notice: "example.net.": re-signing triggered: Modfied zone key set +2010-03-08 23:12:56.212: debug: Writing key file "././example.net/dnskey.db" +2010-03-08 23:12:56.213: debug: Incrementing serial number in file "././example.net/zone.db" +2010-03-08 23:12:56.213: debug: Signing zone "example.net." +2010-03-08 23:12:56.213: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2010-03-08 23:12:56.278: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-03-08 23:12:56.279: debug: Signing completed after 0s. +2010-03-08 23:13:36.984: debug: Check RFC5011 status +2010-03-08 23:13:36.984: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-03-08 23:13:36.984: debug: Check KSK status +2010-03-08 23:13:36.984: debug: Check ZSK status +2010-03-08 23:13:36.985: debug: Re-signing not necessary! +2010-03-08 23:13:36.985: debug: Check if there is a parent file to copy +2010-03-08 23:18:52.287: debug: Check RFC5011 status +2010-03-08 23:18:52.287: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-03-08 23:18:52.287: debug: Check KSK status +2010-03-08 23:18:52.287: debug: Check ZSK status +2010-03-08 23:18:52.287: debug: Re-signing not necessary! +2010-03-08 23:18:52.287: debug: Check if there is a parent file to copy +2010-03-11 23:46:35.831: debug: Check RFC5011 status +2010-03-11 23:46:35.831: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-03-11 23:46:35.831: debug: Check KSK status +2010-03-11 23:46:35.831: debug: Check ZSK status +2010-03-11 23:46:35.831: debug: Lifetime(29100 sec) of depreciated key 29240 exceeded (261285 sec) +2010-03-11 23:46:35.831: info: "example.net.": old ZSK 29240 removed +2010-03-11 23:46:35.832: debug: ->remove it +2010-03-11 23:46:35.832: debug: Re-signing necessary: Modfied zone key set +2010-03-11 23:46:35.832: notice: "example.net.": re-signing triggered: Modfied zone key set +2010-03-11 23:46:35.832: debug: Writing key file "./example.net/dnskey.db" +2010-03-11 23:46:35.841: debug: Incrementing serial number in file "./example.net/zone.db" +2010-03-11 23:46:35.841: debug: Signing zone "example.net." +2010-03-11 23:46:35.841: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2010-03-11 23:46:35.929: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-03-11 23:46:35.929: debug: Signing completed after 0s. +2010-03-11 23:52:33.132: debug: Check RFC5011 status +2010-03-11 23:52:33.132: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-03-11 23:52:33.133: debug: Check KSK status +2010-03-11 23:52:33.133: debug: No active KSK found: generate new one +2010-03-11 23:52:33.374: info: "example.net.": generated new KSK 8406 +2010-03-11 23:52:33.374: debug: Check ZSK status +2010-03-11 23:52:33.374: debug: No active ZSK found: generate new one +2010-03-11 23:52:33.400: info: "example.net.": generated new ZSK 36257 +2010-03-11 23:52:33.400: debug: Re-signing necessary: Modfied zone key set +2010-03-11 23:52:33.400: notice: "example.net.": re-signing triggered: Modfied zone key set +2010-03-11 23:52:33.400: debug: Writing key file "./example.net/dnskey.db" +2010-03-11 23:52:33.400: debug: Incrementing serial number in file "./example.net/zone.db" +2010-03-11 23:52:33.400: debug: Signing zone "example.net." +2010-03-11 23:52:33.400: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 69AE05 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2010-03-11 23:52:33.408: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: NSEC3 generation requested with NSEC only DNSKEY" +2010-03-11 23:52:33.408: error: "example.net.": signing failed! +2010-03-11 23:53:27.856: debug: Check RFC5011 status +2010-03-11 23:53:27.856: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-03-11 23:53:27.856: debug: Check KSK status +2010-03-11 23:53:27.856: debug: Check ZSK status +2010-03-11 23:53:27.856: debug: Re-signing necessary: Modified keys +2010-03-11 23:53:27.856: notice: "example.net.": re-signing triggered: Modified keys +2010-03-11 23:53:27.856: debug: Writing key file "./example.net/dnskey.db" +2010-03-11 23:53:27.856: debug: Incrementing serial number in file "./example.net/zone.db" +2010-03-11 23:53:27.856: debug: Signing zone "example.net." +2010-03-11 23:53:27.856: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 67AA7F -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2010-03-11 23:53:27.920: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-03-11 23:53:27.920: debug: Signing completed after 0s. +2010-07-05 08:15:24.179: debug: Check RFC5011 status +2010-07-05 08:15:24.179: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-07-05 08:15:24.179: debug: Check KSK status +2010-07-05 08:15:24.179: warning: "example.net.": lifetime of key signing key 8406 exceeded since 4w5d12h49m44s +2010-07-05 08:15:24.179: debug: Check ZSK status +2010-07-05 08:15:24.179: debug: Lifetime(1209600 +/-150 sec) of active key 36257 exceeded (8081384 sec) +2010-07-05 08:15:24.179: debug: ->waiting for published key +2010-07-05 08:15:24.179: notice: "example.net.": lifetime of zone signing key 36257 exceeded since 11w2d12h49m44s: ZSK rollover deferred: waiting for published key +2010-07-05 08:15:24.179: debug: New key for publishing needed +2010-07-05 08:15:24.278: debug: ->creating new key 48476 +2010-07-05 08:15:24.278: info: "example.net.": new key 48476 generated for publishing +2010-07-05 08:15:24.278: debug: Re-signing necessary: Modfied zone key set +2010-07-05 08:15:24.278: notice: "example.net.": re-signing triggered: Modfied zone key set +2010-07-05 08:15:24.278: debug: Writing key file "./example.net/dnskey.db" +2010-07-05 08:15:24.278: debug: Incrementing serial number in file "./example.net/zone.db" +2010-07-05 08:15:24.278: debug: Signing zone "example.net." +2010-07-05 08:15:24.278: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 5816F0 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2010-07-05 08:15:24.315: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-07-05 08:15:24.315: debug: Signing completed after 0s. +2010-07-05 08:15:28.174: debug: Check RFC5011 status +2010-07-05 08:15:28.174: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-07-05 08:15:28.174: debug: Check KSK status +2010-07-05 08:15:28.174: warning: "example.net.": lifetime of key signing key 8406 exceeded since 4w5d12h49m48s +2010-07-05 08:15:28.174: debug: Check ZSK status +2010-07-05 08:15:28.174: debug: Lifetime(1209600 +/-150 sec) of active key 36257 exceeded (8081388 sec) +2010-07-05 08:15:28.174: debug: ->waiting for published key +2010-07-05 08:15:28.174: notice: "example.net.": lifetime of zone signing key 36257 exceeded since 11w2d12h49m48s: ZSK rollover deferred: waiting for published key +2010-07-05 08:15:28.174: debug: Re-signing not necessary! +2010-07-05 08:15:28.174: debug: Check if there is a parent file to copy +2010-07-05 08:15:58.502: debug: Check RFC5011 status +2010-07-05 08:15:58.502: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-07-05 08:15:58.503: debug: Check KSK status +2010-07-05 08:15:58.503: warning: "example.net.": lifetime of key signing key 8406 exceeded since 4w5d12h50m18s +2010-07-05 08:15:58.503: debug: Check ZSK status +2010-07-05 08:15:58.503: debug: Lifetime(1209600 +/-150 sec) of active key 36257 exceeded (8081418 sec) +2010-07-05 08:15:58.503: debug: ->waiting for published key +2010-07-05 08:15:58.503: notice: "example.net.": lifetime of zone signing key 36257 exceeded since 11w2d12h50m18s: ZSK rollover deferred: waiting for published key +2010-07-05 08:15:58.503: debug: Re-signing not necessary! +2010-07-05 08:15:58.503: debug: Check if there is a parent file to copy +2010-07-05 08:16:04.937: debug: Check RFC5011 status +2010-07-05 08:16:04.937: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-07-05 08:16:04.937: debug: Check KSK status +2010-07-05 08:16:04.937: warning: "example.net.": lifetime of key signing key 8406 exceeded since 4w5d12h50m24s +2010-07-05 08:16:04.937: debug: Check ZSK status +2010-07-05 08:16:04.937: debug: Lifetime(1209600 +/-150 sec) of active key 36257 exceeded (8081424 sec) +2010-07-05 08:16:04.937: debug: ->waiting for published key +2010-07-05 08:16:04.937: notice: "example.net.": lifetime of zone signing key 36257 exceeded since 11w2d12h50m24s: ZSK rollover deferred: waiting for published key +2010-07-05 08:16:04.937: debug: Re-signing necessary: Option -f +2010-07-05 08:16:04.937: notice: "example.net.": re-signing triggered: Option -f +2010-07-05 08:16:04.937: debug: Writing key file "./example.net/dnskey.db" +2010-07-05 08:16:04.937: debug: Incrementing serial number in file "./example.net/zone.db" +2010-07-05 08:16:04.937: debug: Signing zone "example.net." +2010-07-05 08:16:04.937: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 C58544 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2010-07-05 08:16:04.993: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-07-05 08:16:04.993: debug: Signing completed after 0s. +2010-07-05 08:16:33.604: debug: Check RFC5011 status +2010-07-05 08:16:33.604: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-07-05 08:16:33.604: debug: Check KSK status +2010-07-05 08:16:33.604: warning: "example.net.": lifetime of key signing key 8406 exceeded since 4w5d12h50m53s +2010-07-05 08:16:33.604: debug: Check ZSK status +2010-07-05 08:16:33.604: debug: Lifetime(1209600 +/-150 sec) of active key 36257 exceeded (8081453 sec) +2010-07-05 08:16:33.604: debug: ->waiting for published key +2010-07-05 08:16:33.604: notice: "example.net.": lifetime of zone signing key 36257 exceeded since 11w2d12h50m53s: ZSK rollover deferred: waiting for published key +2010-07-05 08:16:33.604: debug: Re-signing necessary: Option -f +2010-07-05 08:16:33.604: notice: "example.net.": re-signing triggered: Option -f +2010-07-05 08:16:33.604: debug: Writing key file "./example.net/dnskey.db" +2010-07-05 08:16:33.605: debug: Incrementing serial number in file "./example.net/zone.db" +2010-07-05 08:16:33.605: debug: Signing zone "example.net." +2010-07-05 08:16:33.605: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 FCB8E2 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2010-07-05 08:16:33.648: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-07-05 08:16:33.648: debug: Signing completed after 0s. +2010-07-30 01:30:55.411: debug: Check RFC5011 status +2010-07-30 01:30:55.411: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-07-30 01:30:55.411: debug: Check KSK status +2010-07-30 01:30:55.411: debug: Check ZSK status +2010-07-30 01:30:55.411: debug: Lifetime(1209600 +/-150 sec) of active key 36257 exceeded (2130473 sec) +2010-07-30 01:30:55.411: debug: ->depreciate it +2010-07-30 01:30:55.411: debug: ->activate published key 48476 +2010-07-30 01:30:55.411: notice: "example.net.": lifetime of zone signing key 36257 exceeded: ZSK rollover done +2010-07-30 01:30:55.411: debug: New key for publishing needed +2010-07-30 01:30:55.493: debug: ->creating new key 1775 +2010-07-30 01:30:55.493: info: "example.net.": new key 1775 generated for publishing +2010-07-30 01:30:55.493: debug: Re-signing necessary: Modfied zone key set +2010-07-30 01:30:55.493: notice: "example.net.": re-signing triggered: Modfied zone key set +2010-07-30 01:30:55.493: debug: Writing key file "./example.net/dnskey.db" +2010-07-30 01:30:55.493: debug: Incrementing serial number in file "./example.net/zone.db" +2010-07-30 01:30:55.493: debug: Signing zone "example.net." +2010-07-30 01:30:55.494: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 3723BA -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2010-07-30 01:30:55.563: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-07-30 01:30:55.563: debug: Signing completed after 0s. +2010-08-26 22:52:09.539: debug: Check RFC5011 status +2010-08-26 22:52:09.539: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-08-26 22:52:09.539: debug: Check KSK status +2010-08-26 22:52:09.539: debug: Check ZSK status +2010-08-26 22:52:09.539: debug: Lifetime(29100 sec) of depreciated key 36257 exceeded (2409674 sec) +2010-08-26 22:52:09.539: info: "example.net.": old ZSK 36257 removed +2010-08-26 22:52:09.572: debug: ->remove it +2010-08-26 22:52:09.572: debug: Lifetime(1209600 +/-150 sec) of active key 48476 exceeded (2409674 sec) +2010-08-26 22:52:09.572: debug: ->depreciate it +2010-08-26 22:52:09.572: debug: ->activate published key 1775 +2010-08-26 22:52:09.572: notice: "example.net.": lifetime of zone signing key 48476 exceeded: ZSK rollover done +2010-08-26 22:52:09.572: debug: New key for publishing needed +2010-08-26 22:52:09.640: debug: ->creating new key 26477 +2010-08-26 22:52:09.640: info: "example.net.": new key 26477 generated for publishing +2010-08-26 22:52:09.640: debug: Re-signing necessary: Modfied zone key set +2010-08-26 22:52:09.640: notice: "example.net.": re-signing triggered: Modfied zone key set +2010-08-26 22:52:09.640: debug: Writing key file "./example.net/dnskey.db" +2010-08-26 22:52:09.641: debug: Incrementing serial number in file "./example.net/zone.db" +2010-08-26 22:52:09.641: debug: Signing zone "example.net." +2010-08-26 22:52:09.641: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 2F41F9 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2010-08-26 22:52:09.704: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-08-26 22:52:09.704: debug: Signing completed after 0s. +2010-08-26 22:56:02.938: debug: Check RFC5011 status +2010-08-26 22:56:02.938: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-08-26 22:56:02.938: debug: Check KSK status +2010-08-26 22:56:02.938: debug: Check ZSK status +2010-08-26 22:56:02.938: debug: Re-signing not necessary! +2010-08-26 22:56:02.938: debug: Check if there is a parent file to copy +2010-08-26 23:06:00.593: debug: Check RFC5011 status +2010-08-26 23:06:00.593: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-08-26 23:06:00.593: debug: Check KSK status +2010-08-26 23:06:00.593: debug: Check ZSK status +2010-08-26 23:06:00.593: debug: New key for publishing needed +2010-08-26 23:06:00.631: debug: ->creating new key 18026 +2010-08-26 23:06:00.631: info: "example.net.": new key 18026 generated for publishing +2010-08-26 23:06:00.631: debug: Re-signing necessary: Modfied zone key set +2010-08-26 23:06:00.631: notice: "example.net.": re-signing triggered: Modfied zone key set +2010-08-26 23:06:00.631: debug: Writing key file "./example.net/dnskey.db" +2010-08-26 23:06:00.631: debug: Incrementing serial number in file "./example.net/zone.db" +2010-08-26 23:06:00.631: debug: Signing zone "example.net." +2010-08-26 23:06:00.631: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 5EA89E -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2010-08-26 23:06:00.672: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-08-26 23:06:00.672: debug: Signing completed after 0s. +2010-08-26 23:11:33.808: debug: Check RFC5011 status +2010-08-26 23:11:33.808: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-08-26 23:11:33.809: debug: Check KSK status +2010-08-26 23:11:33.809: debug: Check ZSK status +2010-08-26 23:11:33.809: debug: Re-signing not necessary! +2010-08-26 23:11:33.809: debug: Check if there is a parent file to copy +2010-08-26 23:12:51.012: debug: Check RFC5011 status +2010-08-26 23:12:51.012: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-08-26 23:12:51.012: debug: Check KSK status +2010-08-26 23:12:51.012: debug: Check ZSK status +2010-08-26 23:12:51.012: debug: Re-signing not necessary! +2010-08-26 23:12:51.012: debug: Check if there is a parent file to copy +2010-08-26 23:23:47.886: debug: Check RFC5011 status +2010-08-26 23:23:47.886: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-08-26 23:23:47.886: debug: Check KSK status +2010-08-26 23:23:47.886: debug: Check ZSK status +2010-08-26 23:23:47.886: debug: Re-signing not necessary! +2010-08-26 23:23:47.886: debug: Check if there is a parent file to copy +2010-08-26 23:50:15.724: debug: Check RFC5011 status +2010-08-26 23:50:15.724: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-08-26 23:50:15.724: debug: Check KSK status +2010-08-26 23:50:15.724: debug: Check ZSK status +2010-08-26 23:50:15.725: debug: Re-signing not necessary! +2010-08-26 23:50:15.725: debug: Check if there is a parent file to copy +2010-08-26 23:50:55.124: debug: Check RFC5011 status +2010-08-26 23:50:55.124: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-08-26 23:50:55.124: debug: Check KSK status +2010-08-26 23:50:55.124: debug: Check ZSK status +2010-08-26 23:50:55.124: debug: Re-signing not necessary! +2010-08-26 23:50:55.124: debug: Check if there is a parent file to copy +2010-08-26 23:51:46.719: debug: Check RFC5011 status +2010-08-26 23:51:46.719: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-08-26 23:51:46.719: debug: Check KSK status +2010-08-26 23:51:46.719: debug: Check ZSK status +2010-08-26 23:51:46.719: debug: Re-signing not necessary! +2010-08-26 23:51:46.719: debug: Check if there is a parent file to copy +2010-08-26 23:54:22.824: debug: Check RFC5011 status +2010-08-26 23:54:22.824: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-08-26 23:54:22.824: debug: Check KSK status +2010-08-26 23:54:22.824: debug: Check ZSK status +2010-08-26 23:54:22.824: debug: Re-signing not necessary! +2010-08-26 23:54:22.825: debug: Check if there is a parent file to copy +2010-08-26 23:55:00.018: debug: Check RFC5011 status +2010-08-26 23:55:00.018: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-08-26 23:55:00.018: debug: Check KSK status +2010-08-26 23:55:00.018: debug: Check ZSK status +2010-08-26 23:55:00.018: debug: New key for pre-publishing needed +2010-08-26 23:55:00.110: debug: ->creating new key 18293 +2010-08-26 23:55:00.110: info: "example.net.": new key 18293 generated for pre-publishing +2010-08-26 23:55:00.110: debug: Re-signing necessary: Modfied zone key set +2010-08-26 23:55:00.110: notice: "example.net.": re-signing triggered: Modfied zone key set +2010-08-26 23:55:00.110: debug: Writing key file "./example.net/dnskey.db" +2010-08-26 23:55:00.110: debug: Incrementing serial number in file "./example.net/zone.db" +2010-08-26 23:55:00.110: debug: Signing zone "example.net." +2010-08-26 23:55:00.111: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 EBE919 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2010-08-26 23:55:00.168: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-08-26 23:55:00.169: debug: Signing completed after 0s. +2010-08-26 23:56:17.466: debug: Check RFC5011 status +2010-08-26 23:56:17.466: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-08-26 23:56:17.466: debug: Check KSK status +2010-08-26 23:56:17.466: debug: Check ZSK status +2010-08-26 23:56:17.466: debug: Re-signing necessary: Modfied zone key set +2010-08-26 23:56:17.466: notice: "example.net.": re-signing triggered: Modfied zone key set +2010-08-26 23:56:17.466: debug: Writing key file "./example.net/dnskey.db" +2010-08-26 23:56:17.467: debug: Incrementing serial number in file "./example.net/zone.db" +2010-08-26 23:56:17.467: debug: Signing zone "example.net." +2010-08-26 23:56:17.467: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 A876E5 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2010-08-26 23:56:17.531: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-08-26 23:56:17.531: debug: Signing completed after 0s. +2010-08-26 23:57:00.178: debug: Check RFC5011 status +2010-08-26 23:57:00.178: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-08-26 23:57:00.178: debug: Check KSK status +2010-08-26 23:57:00.178: debug: Check ZSK status +2010-08-26 23:57:00.178: debug: Re-signing not necessary! +2010-08-26 23:57:00.178: debug: Check if there is a parent file to copy +2010-10-21 14:01:35.546: debug: Check RFC5011 status +2010-10-21 14:01:35.546: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-10-21 14:01:35.546: debug: Check KSK status +2010-10-21 14:01:35.546: debug: Check ZSK status +2010-10-21 14:01:35.546: debug: Re-signing necessary: re-signing interval (2d) reached +2010-10-21 14:01:35.546: notice: "example.net.": re-signing triggered: re-signing interval (2d) reached +2010-10-21 14:01:35.546: debug: Writing key file "./example.net/dnskey.db" +2010-10-21 14:01:35.607: debug: Incrementing serial number in file "./example.net/zone.db" +2010-10-21 14:01:35.607: debug: Signing zone "example.net." +2010-10-21 14:01:35.607: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 9FC981 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2010-10-21 14:01:35.761: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-10-21 14:01:35.761: debug: Signing completed after 0s. +2010-10-21 14:02:09.209: debug: Check RFC5011 status +2010-10-21 14:02:09.209: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-10-21 14:02:09.209: debug: Check KSK status +2010-10-21 14:02:09.209: debug: Check ZSK status +2010-10-21 14:02:09.209: debug: Re-signing not necessary! +2010-10-21 14:02:09.209: debug: Check if there is a parent file to copy +2010-10-21 14:05:36.170: debug: Check RFC5011 status +2010-10-21 14:05:36.170: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-10-21 14:05:36.170: debug: Check KSK status +2010-10-21 14:05:36.170: debug: Check ZSK status +2010-10-21 14:05:36.170: debug: Re-signing not necessary! +2010-10-21 14:05:36.170: debug: Check if there is a parent file to copy +2010-10-21 14:30:43.892: debug: Check RFC5011 status +2010-10-21 14:30:43.892: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-10-21 14:30:43.892: debug: Check KSK status +2010-10-21 14:30:43.892: debug: Check ZSK status +2010-10-21 14:30:43.892: debug: Re-signing not necessary! +2010-10-21 14:30:43.892: debug: Check if there is a parent file to copy +2014-11-14 18:04:37.729: debug: Check RFC5011 status +2014-11-14 18:04:37.729: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-14 18:04:37.729: debug: Check KSK status +2014-11-14 18:04:37.729: debug: Check ZSK status +2014-11-14 18:04:37.729: debug: Re-signing necessary: Modified keys +2014-11-14 18:04:37.729: notice: "example.net.": re-signing triggered: Modified keys +2014-11-14 18:04:37.729: debug: Writing key file "./example.net/dnskey.db" +2014-11-14 18:04:37.730: debug: Incrementing serial number in file "./example.net/zone.db" +2014-11-14 18:04:37.730: debug: Signing zone "example.net." +2014-11-14 18:04:37.730: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 97195D -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2014-11-14 18:04:37.827: debug: Cmd dnssec-signzone return: "zone.db.signed" +2014-11-14 18:04:37.827: debug: Signing completed after 0s. +2014-11-14 18:09:16.427: debug: Check RFC5011 status +2014-11-14 18:09:16.427: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-14 18:09:16.427: debug: Check KSK status +2014-11-14 18:09:16.428: debug: No active KSK found: generate new one +2014-11-14 18:09:16.495: info: "example.net.": generated new KSK 44671 +2014-11-14 18:09:16.495: debug: Check ZSK status +2014-11-14 18:09:16.495: debug: No active ZSK found: generate new one +2014-11-14 18:09:16.515: info: "example.net.": generated new ZSK 7929 +2014-11-14 18:09:16.515: debug: New key for pre-publishing needed +2014-11-14 18:09:16.546: debug: ->creating new key 2253 +2014-11-14 18:09:16.546: info: "example.net.": new key 2253 generated for pre-publishing +2014-11-14 18:09:16.546: debug: Re-signing necessary: Modified zone key set +2014-11-14 18:09:16.546: notice: "example.net.": re-signing triggered: Modified zone key set +2014-11-14 18:09:16.547: debug: Writing key file "./example.net/dnskey.db" +2014-11-14 18:09:16.547: debug: Incrementing serial number in file "./example.net/zone.db" +2014-11-14 18:09:16.547: debug: Signing zone "example.net." +2014-11-14 18:09:16.547: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 B26BB7 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2014-11-14 18:09:16.646: debug: Cmd dnssec-signzone return: "zone.db.signed" +2014-11-14 18:09:16.646: debug: Signing completed after 0s. +2014-11-14 18:11:40.877: debug: Check RFC5011 status +2014-11-14 18:11:40.877: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-14 18:11:40.877: debug: Check KSK status +2014-11-14 18:11:40.877: debug: Check ZSK status +2014-11-14 18:11:40.877: debug: Re-signing not necessary! +2014-11-14 18:11:40.877: debug: Check if there is a parent file to copy +2014-11-14 18:11:46.599: debug: Check RFC5011 status +2014-11-14 18:11:46.599: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-14 18:11:46.599: debug: Check KSK status +2014-11-14 18:11:46.599: debug: Check ZSK status +2014-11-14 18:11:46.599: debug: Re-signing not necessary! +2014-11-14 18:11:46.599: debug: Check if there is a parent file to copy +2014-11-14 18:15:54.380: debug: Check RFC5011 status +2014-11-14 18:15:54.380: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-14 18:15:54.380: debug: Check KSK status +2014-11-14 18:15:54.380: debug: Check ZSK status +2014-11-14 18:15:54.380: debug: Re-signing not necessary! +2014-11-14 18:15:54.380: debug: Check if there is a parent file to copy +2014-11-14 18:31:09.365: debug: Check RFC5011 status +2014-11-14 18:31:09.365: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-14 18:31:09.365: debug: Check KSK status +2014-11-14 18:31:09.365: debug: Check ZSK status +2014-11-14 18:31:09.365: debug: Re-signing necessary: Modified keys +2014-11-14 18:31:09.365: notice: "example.net.": re-signing triggered: Modified keys +2014-11-14 18:31:09.365: debug: Writing key file "././example.net/dnskey.db" +2014-11-14 18:31:09.366: debug: Incrementing serial number in file "././example.net/zone.db" +2014-11-14 18:31:09.366: debug: Signing zone "example.net." +2014-11-14 18:31:09.366: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 8B4599 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2014-11-14 18:31:09.488: debug: Cmd dnssec-signzone return: "zone.db.signed" +2014-11-14 18:31:09.488: debug: Signing completed after 0s. +2014-11-14 18:31:27.335: debug: Check RFC5011 status +2014-11-14 18:31:27.335: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-14 18:31:27.335: debug: Check KSK status +2014-11-14 18:31:27.335: debug: Check ZSK status +2014-11-14 18:31:27.335: debug: Re-signing not necessary! +2014-11-14 18:31:27.335: debug: Check if there is a parent file to copy +2014-11-14 18:38:16.356: debug: Check RFC5011 status +2014-11-14 18:38:16.356: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-14 18:38:16.356: debug: Check KSK status +2014-11-14 18:38:16.356: debug: Check ZSK status +2014-11-14 18:38:16.356: debug: Re-signing necessary: Modified keys +2014-11-14 18:38:16.356: notice: "example.net.": re-signing triggered: Modified keys +2014-11-14 18:38:16.356: debug: Writing key file "././example.net/dnskey.db" +2014-11-14 18:38:16.356: debug: Incrementing serial number in file "././example.net/zone.db" +2014-11-14 18:38:16.356: debug: Signing zone "example.net." +2014-11-14 18:38:16.356: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 BEBFB0 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2014-11-14 18:38:16.484: debug: Cmd dnssec-signzone return: "zone.db.signed" +2014-11-14 18:38:16.484: debug: Signing completed after 0s. +2014-11-15 18:16:50.572: debug: Check RFC5011 status +2014-11-15 18:16:50.572: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-15 18:16:50.572: debug: Check KSK status +2014-11-15 18:16:50.572: debug: Check ZSK status +2014-11-15 18:16:50.573: debug: Re-signing necessary: Modified keys +2014-11-15 18:16:50.573: notice: "example.net.": re-signing triggered: Modified keys +2014-11-15 18:16:50.573: debug: Writing key file "././example.net/dnskey.db" +2014-11-15 18:16:50.573: debug: Incrementing serial number in file "././example.net/zone.db" +2014-11-15 18:16:50.573: debug: Signing zone "example.net." +2014-11-15 18:16:50.573: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 DC5680 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2014-11-15 18:16:50.715: debug: Cmd dnssec-signzone return: "zone.db.signed" +2014-11-15 18:16:50.715: debug: Signing completed after 0s. +2014-11-15 18:16:54.202: debug: Check RFC5011 status +2014-11-15 18:16:54.202: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-15 18:16:54.202: debug: Check KSK status +2014-11-15 18:16:54.203: debug: Check ZSK status +2014-11-15 18:16:54.203: debug: Re-signing not necessary! +2014-11-15 18:16:54.203: debug: Check if there is a parent file to copy +2014-11-15 18:17:06.919: debug: Check RFC5011 status +2014-11-15 18:17:06.919: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-15 18:17:06.919: debug: Check KSK status +2014-11-15 18:17:06.919: debug: Check ZSK status +2014-11-15 18:17:06.919: debug: Re-signing necessary: Modified keys +2014-11-15 18:17:06.919: notice: "example.net.": re-signing triggered: Modified keys +2014-11-15 18:17:06.919: debug: Writing key file "././example.net/dnskey.db" +2014-11-15 18:17:06.919: debug: Incrementing serial number in file "././example.net/zone.db" +2014-11-15 18:17:06.919: debug: Signing zone "example.net." +2014-11-15 18:17:06.919: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 D82F90 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2014-11-15 18:17:07.040: debug: Cmd dnssec-signzone return: "zone.db.signed" +2014-11-15 18:17:07.040: debug: Signing completed after 1s. +2014-11-15 18:17:17.242: debug: Check RFC5011 status +2014-11-15 18:17:17.242: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-15 18:17:17.242: debug: Check KSK status +2014-11-15 18:17:17.243: debug: Check ZSK status +2014-11-15 18:17:17.243: debug: Re-signing necessary: Zone file edited +2014-11-15 18:17:17.243: notice: "example.net.": re-signing triggered: Zone file edited +2014-11-15 18:17:17.243: debug: Writing key file "././example.net/dnskey.db" +2014-11-15 18:17:17.243: debug: Incrementing serial number in file "././example.net/zone.db" +2014-11-15 18:17:17.243: debug: Signing zone "example.net." +2014-11-15 18:17:17.243: debug: Run cmd "cd ././example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 603310 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2014-11-15 18:17:17.365: debug: Cmd dnssec-signzone return: "zone.db.signed" +2014-11-15 18:17:17.365: debug: Signing completed after 0s. +2014-11-17 19:12:44.250: debug: Check RFC5011 status +2014-11-17 19:12:44.250: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-17 19:12:44.250: debug: Check KSK status +2014-11-17 19:12:44.250: debug: Check ZSK status +2014-11-17 19:12:44.250: debug: Re-signing necessary: re-signing interval (2d) reached +2014-11-17 19:12:44.250: notice: "example.net.": re-signing triggered: re-signing interval (2d) reached +2014-11-17 19:12:44.250: debug: Writing key file "./example.net/dnskey.db" +2014-11-17 19:12:44.251: debug: Incrementing serial number in file "./example.net/zone.db" +2014-11-17 19:12:44.251: debug: Signing zone "example.net." +2014-11-17 19:12:44.251: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 9F5882 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2014-11-17 19:12:44.392: debug: Cmd dnssec-signzone return: "zone.db.signed" +2014-11-17 19:12:44.392: debug: Signing completed after 0s. +2014-11-17 19:12:49.692: debug: Check RFC5011 status +2014-11-17 19:12:49.692: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-17 19:12:49.692: debug: Check KSK status +2014-11-17 19:12:49.692: debug: Check ZSK status +2014-11-17 19:12:49.692: debug: Re-signing not necessary! +2014-11-17 19:12:49.692: debug: Check if there is a parent file to copy +2014-11-17 19:13:02.603: debug: Check RFC5011 status +2014-11-17 19:13:02.603: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-17 19:13:02.603: debug: Check KSK status +2014-11-17 19:13:02.603: debug: Check ZSK status +2014-11-17 19:13:02.603: debug: Re-signing not necessary! +2014-11-17 19:13:02.603: debug: Check if there is a parent file to copy +2014-11-17 19:13:50.410: debug: Check RFC5011 status +2014-11-17 19:13:50.410: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-17 19:13:50.410: debug: Check KSK status +2014-11-17 19:13:50.410: debug: Check ZSK status +2014-11-17 19:13:50.410: debug: Re-signing necessary: Modified keys +2014-11-17 19:13:50.410: notice: "example.net.": re-signing triggered: Modified keys +2014-11-17 19:13:50.410: debug: Writing key file "./example.net/dnskey.db" +2014-11-17 19:13:50.410: debug: Incrementing serial number in file "./example.net/zone.db" +2014-11-17 19:13:50.410: debug: Signing zone "example.net." +2014-11-17 19:13:50.411: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 053453 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2014-11-17 19:13:50.525: debug: Cmd dnssec-signzone return: "zone.db.signed" +2014-11-17 19:13:50.525: debug: Signing completed after 0s. +2014-11-17 19:13:54.302: debug: Check RFC5011 status +2014-11-17 19:13:54.302: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-17 19:13:54.302: debug: Check KSK status +2014-11-17 19:13:54.302: debug: Check ZSK status +2014-11-17 19:13:54.302: debug: Re-signing not necessary! +2014-11-17 19:13:54.302: debug: Check if there is a parent file to copy +2014-11-17 19:14:01.846: debug: Check RFC5011 status +2014-11-17 19:14:01.846: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-17 19:14:01.846: debug: Check KSK status +2014-11-17 19:14:01.846: debug: Check ZSK status +2014-11-17 19:14:01.846: debug: Re-signing necessary: Zone file edited +2014-11-17 19:14:01.846: notice: "example.net.": re-signing triggered: Zone file edited +2014-11-17 19:14:01.846: debug: Writing key file "./example.net/dnskey.db" +2014-11-17 19:14:01.846: debug: Incrementing serial number in file "./example.net/zone.db" +2014-11-17 19:14:01.846: debug: Signing zone "example.net." +2014-11-17 19:14:01.847: debug: Run cmd "cd ./example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -A -3 7CF530 -C -g -p -d ../keysets -o example.net. -e +518400 zone.db K*.private 2>&1" +2014-11-17 19:14:01.969: debug: Cmd dnssec-signzone return: "zone.db.signed" +2014-11-17 19:14:01.969: debug: Signing completed after 0s. diff --git a/contrib/zkt-1.1.3/examples/flat/sub.example.net/zktlog-sub.example.net. b/contrib/zkt-1.1.3/examples/flat/sub.example.net/zktlog-sub.example.net. new file mode 100644 index 0000000000..709d18e117 --- /dev/null +++ b/contrib/zkt-1.1.3/examples/flat/sub.example.net/zktlog-sub.example.net. @@ -0,0 +1,218 @@ +2010-10-21 14:01:35.486: debug: Check RFC5011 status +2010-10-21 14:01:35.486: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-10-21 14:01:35.486: debug: Check KSK status +2010-10-21 14:01:35.486: debug: Check ZSK status +2010-10-21 14:01:35.486: debug: No active ZSK found: generate new one +2010-10-21 14:01:35.495: error: sub.example.net.": can't generate new ZSK +2010-10-21 14:01:35.495: debug: Re-signing necessary: Modfied zone key set +2010-10-21 14:01:35.496: notice: "sub.example.net.": re-signing triggered: Modfied zone key set +2010-10-21 14:01:35.496: debug: Writing key file "./sub.example.net/dnskey.db" +2010-10-21 14:01:35.496: debug: Incrementing serial number in file "./sub.example.net/zone.db" +2010-10-21 14:01:35.496: debug: Signing zone "sub.example.net." +2010-10-21 14:01:35.496: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 9FC981 -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1" +2010-10-21 14:01:35.546: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: DNSSEC completeness test failed." +2010-10-21 14:01:35.546: error: "sub.example.net.": signing failed! +2010-10-21 14:02:09.146: debug: Check RFC5011 status +2010-10-21 14:02:09.146: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-10-21 14:02:09.146: debug: Check KSK status +2010-10-21 14:02:09.146: debug: Check ZSK status +2010-10-21 14:02:09.146: debug: No active ZSK found: generate new one +2010-10-21 14:02:09.156: error: sub.example.net.": can't generate new ZSK +2010-10-21 14:02:09.156: debug: Re-signing necessary: Modified keys +2010-10-21 14:02:09.156: notice: "sub.example.net.": re-signing triggered: Modified keys +2010-10-21 14:02:09.156: debug: Writing key file "./sub.example.net/dnskey.db" +2010-10-21 14:02:09.157: debug: Incrementing serial number in file "./sub.example.net/zone.db" +2010-10-21 14:02:09.157: debug: Signing zone "sub.example.net." +2010-10-21 14:02:09.157: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 BD326D -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1" +2010-10-21 14:02:09.208: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: DNSSEC completeness test failed." +2010-10-21 14:02:09.208: error: "sub.example.net.": signing failed! +2010-10-21 14:05:35.988: debug: Check RFC5011 status +2010-10-21 14:05:35.988: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-10-21 14:05:35.988: debug: Check KSK status +2010-10-21 14:05:35.988: debug: Check ZSK status +2010-10-21 14:05:35.988: debug: No active ZSK found: generate new one +2010-10-21 14:05:36.091: info: "sub.example.net.": generated new ZSK 7987 +2010-10-21 14:05:36.091: debug: Re-signing necessary: Modfied zone key set +2010-10-21 14:05:36.091: notice: "sub.example.net.": re-signing triggered: Modfied zone key set +2010-10-21 14:05:36.091: debug: Writing key file "./sub.example.net/dnskey.db" +2010-10-21 14:05:36.091: debug: Incrementing serial number in file "./sub.example.net/zone.db" +2010-10-21 14:05:36.091: debug: Signing zone "sub.example.net." +2010-10-21 14:05:36.091: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 75DE06 -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1" +2010-10-21 14:05:36.170: debug: Cmd dnssec-signzone return: "zone.db.signed" +2010-10-21 14:05:36.170: debug: Signing completed after 0s. +2010-10-21 14:30:43.892: debug: Check RFC5011 status +2010-10-21 14:30:43.892: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2010-10-21 14:30:43.892: debug: Check KSK status +2010-10-21 14:30:43.892: debug: Check ZSK status +2010-10-21 14:30:43.892: debug: Re-signing not necessary! +2010-10-21 14:30:43.892: debug: Check if there is a parent file to copy +2014-11-14 18:04:37.686: debug: Check RFC5011 status +2014-11-14 18:04:37.686: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-14 18:04:37.686: debug: Check KSK status +2014-11-14 18:04:37.686: warning: "sub.example.net.": lifetime of key signing key 33176 exceeded since 4d8h26m2s +2014-11-14 18:04:37.686: debug: Check ZSK status +2014-11-14 18:04:37.686: debug: Lifetime(259200 +/-150 sec) of active key 7987 exceeded (980762 sec) +2014-11-14 18:04:37.686: debug: ->waiting for published key +2014-11-14 18:04:37.686: notice: "sub.example.net.": lifetime of zone signing key 7987 exceeded since 1w1d8h26m2s: ZSK rollover deferred: waiting for published key +2014-11-14 18:04:37.686: debug: New ZSK for publishing needed +2014-11-14 18:04:37.721: debug: ->creating new key 39632 +2014-11-14 18:04:37.721: info: "sub.example.net.": new zone signing key 39632 generated for publishing +2014-11-14 18:04:37.721: debug: Re-signing necessary: Modified zone key set +2014-11-14 18:04:37.721: notice: "sub.example.net.": re-signing triggered: Modified zone key set +2014-11-14 18:04:37.721: debug: Writing key file "./sub.example.net/dnskey.db" +2014-11-14 18:04:37.721: debug: Incrementing serial number in file "./sub.example.net/zone.db" +2014-11-14 18:04:37.721: debug: Signing zone "sub.example.net." +2014-11-14 18:04:37.722: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 97195D -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1" +2014-11-14 18:04:37.729: debug: Cmd dnssec-signzone return: "dnssec-signzone: fatal: NSEC3 generation requested with NSEC-only DNSKEY" +2014-11-14 18:04:37.729: error: "sub.example.net.": signing failed! +2014-11-14 18:09:16.251: debug: Check RFC5011 status +2014-11-14 18:09:16.251: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-14 18:09:16.251: debug: Check KSK status +2014-11-14 18:09:16.251: debug: No active KSK found: generate new one +2014-11-14 18:09:16.288: info: "sub.example.net.": generated new KSK 60396 +2014-11-14 18:09:16.288: debug: Check ZSK status +2014-11-14 18:09:16.288: debug: No active ZSK found: generate new one +2014-11-14 18:09:16.329: info: "sub.example.net.": generated new ZSK 21503 +2014-11-14 18:09:16.329: debug: Re-signing necessary: Modified zone key set +2014-11-14 18:09:16.329: notice: "sub.example.net.": re-signing triggered: Modified zone key set +2014-11-14 18:09:16.329: debug: Writing key file "./sub.example.net/dnskey.db" +2014-11-14 18:09:16.330: debug: Incrementing serial number in file "./sub.example.net/zone.db" +2014-11-14 18:09:16.330: debug: Signing zone "sub.example.net." +2014-11-14 18:09:16.330: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 B26BB7 -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1" +2014-11-14 18:09:16.427: debug: Cmd dnssec-signzone return: "zone.db.signed" +2014-11-14 18:09:16.427: debug: Signing completed after 0s. +2014-11-14 18:11:40.699: debug: Check RFC5011 status +2014-11-14 18:11:40.699: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-14 18:11:40.699: debug: Check KSK status +2014-11-14 18:11:40.699: debug: Check ZSK status +2014-11-14 18:11:40.699: debug: Re-signing necessary: Modified keys +2014-11-14 18:11:40.699: notice: "sub.example.net.": re-signing triggered: Modified keys +2014-11-14 18:11:40.699: debug: Writing key file "././sub.example.net/dnskey.db" +2014-11-14 18:11:40.699: debug: Incrementing serial number in file "././sub.example.net/zone.db" +2014-11-14 18:11:40.699: debug: Signing zone "sub.example.net." +2014-11-14 18:11:40.699: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 E8CBA9 -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1" +2014-11-14 18:11:40.876: debug: Cmd dnssec-signzone return: "zone.db.signed" +2014-11-14 18:11:40.876: debug: Signing completed after 0s. +2014-11-14 18:11:46.599: debug: Check RFC5011 status +2014-11-14 18:11:46.599: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-14 18:11:46.599: debug: Check KSK status +2014-11-14 18:11:46.599: debug: Check ZSK status +2014-11-14 18:11:46.599: debug: Re-signing not necessary! +2014-11-14 18:11:46.599: debug: Check if there is a parent file to copy +2014-11-14 18:15:54.379: debug: Check RFC5011 status +2014-11-14 18:15:54.379: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-14 18:15:54.379: debug: Check KSK status +2014-11-14 18:15:54.379: debug: Check ZSK status +2014-11-14 18:15:54.379: debug: Re-signing not necessary! +2014-11-14 18:15:54.379: debug: Check if there is a parent file to copy +2014-11-14 18:31:09.365: debug: Check RFC5011 status +2014-11-14 18:31:09.365: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-14 18:31:09.365: debug: Check KSK status +2014-11-14 18:31:09.365: debug: Check ZSK status +2014-11-14 18:31:09.365: debug: Re-signing not necessary! +2014-11-14 18:31:09.365: debug: Check if there is a parent file to copy +2014-11-14 18:31:27.335: debug: Check RFC5011 status +2014-11-14 18:31:27.335: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-14 18:31:27.335: debug: Check KSK status +2014-11-14 18:31:27.335: debug: Check ZSK status +2014-11-14 18:31:27.335: debug: Re-signing not necessary! +2014-11-14 18:31:27.335: debug: Check if there is a parent file to copy +2014-11-14 18:38:16.355: debug: Check RFC5011 status +2014-11-14 18:38:16.355: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-14 18:38:16.355: debug: Check KSK status +2014-11-14 18:38:16.355: debug: Check ZSK status +2014-11-14 18:38:16.355: debug: Re-signing not necessary! +2014-11-14 18:38:16.356: debug: Check if there is a parent file to copy +2014-11-15 18:16:50.447: debug: Check RFC5011 status +2014-11-15 18:16:50.447: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-15 18:16:50.447: debug: Check KSK status +2014-11-15 18:16:50.447: debug: Check ZSK status +2014-11-15 18:16:50.447: debug: Re-signing necessary: re-signing interval (1d) reached +2014-11-15 18:16:50.447: notice: "sub.example.net.": re-signing triggered: re-signing interval (1d) reached +2014-11-15 18:16:50.447: debug: Writing key file "././sub.example.net/dnskey.db" +2014-11-15 18:16:50.447: debug: Incrementing serial number in file "././sub.example.net/zone.db" +2014-11-15 18:16:50.447: debug: Signing zone "sub.example.net." +2014-11-15 18:16:50.448: debug: Run cmd "cd ././sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 DC5680 -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1" +2014-11-15 18:16:50.572: debug: Cmd dnssec-signzone return: "zone.db.signed" +2014-11-15 18:16:50.572: debug: Signing completed after 0s. +2014-11-15 18:16:54.202: debug: Check RFC5011 status +2014-11-15 18:16:54.202: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-15 18:16:54.202: debug: Check KSK status +2014-11-15 18:16:54.202: debug: Check ZSK status +2014-11-15 18:16:54.202: debug: Re-signing not necessary! +2014-11-15 18:16:54.202: debug: Check if there is a parent file to copy +2014-11-15 18:17:06.918: debug: Check RFC5011 status +2014-11-15 18:17:06.918: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-15 18:17:06.918: debug: Check KSK status +2014-11-15 18:17:06.918: debug: Check ZSK status +2014-11-15 18:17:06.918: debug: Re-signing not necessary! +2014-11-15 18:17:06.918: debug: Check if there is a parent file to copy +2014-11-15 18:17:17.242: debug: Check RFC5011 status +2014-11-15 18:17:17.242: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-15 18:17:17.242: debug: Check KSK status +2014-11-15 18:17:17.242: debug: Check ZSK status +2014-11-15 18:17:17.242: debug: Re-signing not necessary! +2014-11-15 18:17:17.242: debug: Check if there is a parent file to copy +2014-11-17 19:12:44.029: debug: Check RFC5011 status +2014-11-17 19:12:44.029: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-17 19:12:44.029: debug: Check KSK status +2014-11-17 19:12:44.029: debug: Check ZSK status +2014-11-17 19:12:44.029: debug: Lifetime(259200 +/-150 sec) of active key 21503 exceeded (263008 sec) +2014-11-17 19:12:44.029: debug: ->waiting for published key +2014-11-17 19:12:44.029: notice: "sub.example.net.": lifetime of zone signing key 21503 exceeded since 1h3m28s: ZSK rollover deferred: waiting for published key +2014-11-17 19:12:44.029: debug: New ZSK for publishing needed +2014-11-17 19:12:44.110: debug: ->creating new key 53867 +2014-11-17 19:12:44.110: info: "sub.example.net.": new zone signing key 53867 generated for publishing +2014-11-17 19:12:44.110: debug: Re-signing necessary: Modified zone key set +2014-11-17 19:12:44.110: notice: "sub.example.net.": re-signing triggered: Modified zone key set +2014-11-17 19:12:44.110: debug: Writing key file "./sub.example.net/dnskey.db" +2014-11-17 19:12:44.111: debug: Incrementing serial number in file "./sub.example.net/zone.db" +2014-11-17 19:12:44.111: debug: Signing zone "sub.example.net." +2014-11-17 19:12:44.111: debug: Run cmd "cd ./sub.example.net; /usr/local/sbin/dnssec-signzone -n 1 -u -3 9F5882 -C -g -p -d ../keysets -o sub.example.net. -e +172800 zone.db K*.private 2>&1" +2014-11-17 19:12:44.250: debug: Cmd dnssec-signzone return: "zone.db.signed" +2014-11-17 19:12:44.250: debug: Signing completed after 0s. +2014-11-17 19:12:49.691: debug: Check RFC5011 status +2014-11-17 19:12:49.691: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-17 19:12:49.691: debug: Check KSK status +2014-11-17 19:12:49.691: debug: Check ZSK status +2014-11-17 19:12:49.691: debug: Lifetime(259200 +/-150 sec) of active key 21503 exceeded (263013 sec) +2014-11-17 19:12:49.691: debug: ->waiting for published key +2014-11-17 19:12:49.691: notice: "sub.example.net.": lifetime of zone signing key 21503 exceeded since 1h3m33s: ZSK rollover deferred: waiting for published key +2014-11-17 19:12:49.692: debug: Re-signing not necessary! +2014-11-17 19:12:49.692: debug: Check if there is a parent file to copy +2014-11-17 19:13:02.603: debug: Check RFC5011 status +2014-11-17 19:13:02.603: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-17 19:13:02.603: debug: Check KSK status +2014-11-17 19:13:02.603: debug: Check ZSK status +2014-11-17 19:13:02.603: debug: Lifetime(259200 +/-150 sec) of active key 21503 exceeded (263026 sec) +2014-11-17 19:13:02.603: debug: ->waiting for published key +2014-11-17 19:13:02.603: notice: "sub.example.net.": lifetime of zone signing key 21503 exceeded since 1h3m46s: ZSK rollover deferred: waiting for published key +2014-11-17 19:13:02.603: debug: Re-signing not necessary! +2014-11-17 19:13:02.603: debug: Check if there is a parent file to copy +2014-11-17 19:13:50.409: debug: Check RFC5011 status +2014-11-17 19:13:50.409: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-17 19:13:50.409: debug: Check KSK status +2014-11-17 19:13:50.409: debug: Check ZSK status +2014-11-17 19:13:50.409: debug: Lifetime(259200 +/-150 sec) of active key 21503 exceeded (263074 sec) +2014-11-17 19:13:50.409: debug: ->waiting for published key +2014-11-17 19:13:50.409: notice: "sub.example.net.": lifetime of zone signing key 21503 exceeded since 1h4m34s: ZSK rollover deferred: waiting for published key +2014-11-17 19:13:50.409: debug: Re-signing not necessary! +2014-11-17 19:13:50.409: debug: Check if there is a parent file to copy +2014-11-17 19:13:54.302: debug: Check RFC5011 status +2014-11-17 19:13:54.302: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-17 19:13:54.302: debug: Check KSK status +2014-11-17 19:13:54.302: debug: Check ZSK status +2014-11-17 19:13:54.302: debug: Lifetime(259200 +/-150 sec) of active key 21503 exceeded (263078 sec) +2014-11-17 19:13:54.302: debug: ->waiting for published key +2014-11-17 19:13:54.302: notice: "sub.example.net.": lifetime of zone signing key 21503 exceeded since 1h4m38s: ZSK rollover deferred: waiting for published key +2014-11-17 19:13:54.302: debug: Re-signing not necessary! +2014-11-17 19:13:54.302: debug: Check if there is a parent file to copy +2014-11-17 19:14:01.845: debug: Check RFC5011 status +2014-11-17 19:14:01.846: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2014-11-17 19:14:01.846: debug: Check KSK status +2014-11-17 19:14:01.846: debug: Check ZSK status +2014-11-17 19:14:01.846: debug: Lifetime(259200 +/-150 sec) of active key 21503 exceeded (263085 sec) +2014-11-17 19:14:01.846: debug: ->waiting for published key +2014-11-17 19:14:01.846: notice: "sub.example.net.": lifetime of zone signing key 21503 exceeded since 1h4m45s: ZSK rollover deferred: waiting for published key +2014-11-17 19:14:01.846: debug: Re-signing not necessary! +2014-11-17 19:14:01.846: debug: Check if there is a parent file to copy diff --git a/contrib/zkt-1.1.3/examples/flat/zkt-ls b/contrib/zkt-1.1.3/examples/flat/zkt-ls new file mode 120000 index 0000000000..c513980564 --- /dev/null +++ b/contrib/zkt-1.1.3/examples/flat/zkt-ls @@ -0,0 +1 @@ +../zkt-ls.sh \ No newline at end of file diff --git a/contrib/zkt-1.1.3/examples/flat/zkt-signer b/contrib/zkt-1.1.3/examples/flat/zkt-signer new file mode 120000 index 0000000000..b5f367de78 --- /dev/null +++ b/contrib/zkt-1.1.3/examples/flat/zkt-signer @@ -0,0 +1 @@ +../zkt-signer.sh \ No newline at end of file diff --git a/contrib/zkt-1.1.3/examples/hierarchical/zkt-ls b/contrib/zkt-1.1.3/examples/hierarchical/zkt-ls new file mode 120000 index 0000000000..c513980564 --- /dev/null +++ b/contrib/zkt-1.1.3/examples/hierarchical/zkt-ls @@ -0,0 +1 @@ +../zkt-ls.sh \ No newline at end of file diff --git a/contrib/zkt-1.1.3/examples/hierarchical/zkt-signer b/contrib/zkt-1.1.3/examples/hierarchical/zkt-signer new file mode 120000 index 0000000000..b5f367de78 --- /dev/null +++ b/contrib/zkt-1.1.3/examples/hierarchical/zkt-signer @@ -0,0 +1 @@ +../zkt-signer.sh \ No newline at end of file diff --git a/contrib/zkt-1.1.3/examples/views/dnssec-extern.conf b/contrib/zkt-1.1.3/examples/views/dnssec-extern.conf new file mode 100644 index 0000000000..728dcc9431 --- /dev/null +++ b/contrib/zkt-1.1.3/examples/views/dnssec-extern.conf @@ -0,0 +1,39 @@ +# +# @(#) dnssec.conf vT0.96 (c) Feb 2005 - May 2008 Holger Zuleger hznet.de +# + +# dnssec-zkt options +Zonedir: "extern" +Recursive: True +PrintTime: False +PrintAge: True +LeftJustify: False + +# zone specific values +ResignInterval: 1w # (604800 seconds) +Sigvalidity: 10d # (864000 seconds) +Max_TTL: 8h # (28800 seconds) +Propagation: 5m # (300 seconds) +KEY_TTL: 1h # (3600 seconds) +Serialformat: unixtime + +# signing key parameters +KSK_lifetime: 1y # (31536000 seconds) +KSK_algo: RSASHA1 # (Algorithm ID 5) +KSK_bits: 1300 +KSK_randfile: "/dev/urandom" +ZSK_lifetime: 30d # (2592000 seconds) +ZSK_algo: RSASHA1 # (Algorithm ID 5) +ZSK_bits: 512 +ZSK_randfile: "/dev/urandom" + +# dnssec-signer options +LogFile: "zkt-ext.log" +LogLevel: "debug" +SyslogFacility: "none" +SyslogLevel: "notice" +VerboseLog: 2 +Keyfile: "dnskey.db" +Zonefile: "zone.db" +DLV_Domain: "" +Sig_Pseudorand: True diff --git a/contrib/zkt-1.1.3/examples/views/dnssec-intern.conf b/contrib/zkt-1.1.3/examples/views/dnssec-intern.conf new file mode 100644 index 0000000000..d49fc94664 --- /dev/null +++ b/contrib/zkt-1.1.3/examples/views/dnssec-intern.conf @@ -0,0 +1,39 @@ +# +# @(#) dnssec.conf vT0.96 (c) Feb 2005 - May 2008 Holger Zuleger hznet.de +# + +# dnssec-zkt options +Zonedir: "intern" +Recursive: True +PrintTime: False +PrintAge: True +LeftJustify: False + +# zone specific values +ResignInterval: 5h # (18000 seconds) +Sigvalidity: 1d # (86400 seconds) +Max_TTL: 30m # (1800 seconds) +Propagation: 1m # (60 seconds) +KEY_TTL: 30m # (1800 seconds) +Serialformat: unixtime + +# signing key parameters +KSK_lifetime: 1y # (31536000 seconds) +KSK_algo: RSASHA1 # (Algorithm ID 5) +KSK_bits: 1300 +KSK_randfile: "/dev/urandom" +ZSK_lifetime: 30d # (2592000 seconds) +ZSK_algo: RSASHA1 # (Algorithm ID 5) +ZSK_bits: 512 +ZSK_randfile: "/dev/urandom" + +# dnssec-signer options +LogFile: "zkt-int.log" +LogLevel: "debug" +SyslogFacility: "none" +SyslogLevel: "notice" +VerboseLog: 2 +Keyfile: "dnskey.db" +Zonefile: "zone.db" +DLV_Domain: "" +Sig_Pseudorand: True diff --git a/contrib/zkt-1.1.3/examples/views/dnssec-signer-extern b/contrib/zkt-1.1.3/examples/views/dnssec-signer-extern new file mode 100644 index 0000000000..910e82aa8d --- /dev/null +++ b/contrib/zkt-1.1.3/examples/views/dnssec-signer-extern @@ -0,0 +1,7 @@ +#!/bin/sh +# +# Shell script to start the dnssec-signer +# command out of the view directory +# + +ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-signer -V extern "$@" diff --git a/contrib/zkt-1.1.3/examples/views/dnssec-signer-intern b/contrib/zkt-1.1.3/examples/views/dnssec-signer-intern new file mode 100644 index 0000000000..915ed153c4 --- /dev/null +++ b/contrib/zkt-1.1.3/examples/views/dnssec-signer-intern @@ -0,0 +1,7 @@ +#!/bin/sh +# +# Shell script to start the dnssec-signer +# command out of the view directory +# + +ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-signer -V intern "$@" diff --git a/contrib/zkt-1.1.3/examples/views/dnssec-zkt-extern b/contrib/zkt-1.1.3/examples/views/dnssec-zkt-extern new file mode 100644 index 0000000000..129b4e1004 --- /dev/null +++ b/contrib/zkt-1.1.3/examples/views/dnssec-zkt-extern @@ -0,0 +1,7 @@ +#!/bin/sh +# +# Shell script to start the dnssec-zkt command +# out of the view directory +# + +ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-zkt --view extern "$@" diff --git a/contrib/zkt-1.1.3/examples/views/dnssec-zkt-intern b/contrib/zkt-1.1.3/examples/views/dnssec-zkt-intern new file mode 100644 index 0000000000..1836840f8d --- /dev/null +++ b/contrib/zkt-1.1.3/examples/views/dnssec-zkt-intern @@ -0,0 +1,7 @@ +#!/bin/sh +# +# Shell script to start the dnssec-zkt command +# out of the view directory +# + +ZKT_CONFFILE=`pwd`/dnssec.conf ../../dnssec-zkt --view intern "$@" diff --git a/contrib/zkt-1.1.3/examples/views/extern/example.net/zone.db b/contrib/zkt-1.1.3/examples/views/extern/example.net/zone.db new file mode 100644 index 0000000000..4c72928f0b --- /dev/null +++ b/contrib/zkt-1.1.3/examples/views/extern/example.net/zone.db @@ -0,0 +1,33 @@ +;----------------------------------------------------------------- +; +; @(#) extern/example.net/zone.db +; +;----------------------------------------------------------------- + +$TTL 7200 + +@ IN SOA ns1.example.net. hostmaster.example.net. ( + 0 ; Serial + 43200 ; Refresh + 1800 ; Retry + 2W ; Expire + 7200 ) ; Minimum + + IN NS ns1.example.net. + IN NS ns2.example.net. + +ns1 IN A 1.0.0.5 + IN AAAA 2001:db8::53 +ns2 IN A 1.2.0.6 + +localhost IN A 127.0.0.1 + +; Delegation to secure zone; The DS resource record will +; be added by dnssec-signzone automatically if the +; keyset-sub.example.net file is present (run dnssec-signzone +; with option -g or use the dnssec-signer tool) ;-) +sub IN NS ns1.example.net. + +; this file will have all the zone keys +$INCLUDE dnskey.db + diff --git a/contrib/zkt-1.1.3/examples/views/extern/example.net/zone.db.signed b/contrib/zkt-1.1.3/examples/views/extern/example.net/zone.db.signed new file mode 100644 index 0000000000..e69de29bb2 diff --git a/contrib/zkt-1.1.3/examples/views/extern/zkt-ext.log b/contrib/zkt-1.1.3/examples/views/extern/zkt-ext.log new file mode 100644 index 0000000000..d070ca23f3 --- /dev/null +++ b/contrib/zkt-1.1.3/examples/views/extern/zkt-ext.log @@ -0,0 +1,51 @@ +2008-06-12 17:59:04.194: notice: running as ../../dnssec-signer -V extern -v -v +2008-06-12 17:59:04.195: debug: parsing zone "example.net." in dir "extern/example.net." +2008-06-12 17:59:04.196: debug: Check RFC5011 status +2008-06-12 17:59:04.196: debug: ->ksk5011status returns 0 +2008-06-12 17:59:04.196: debug: Check ksk status +2008-06-12 17:59:04.196: debug: Re-signing not necessary! +2008-06-12 17:59:04.196: notice: end of run: 0 errors occured +2008-06-12 17:59:17.435: notice: running as ../../dnssec-signer -V extern -v -v +2008-06-12 17:59:17.436: debug: parsing zone "example.net." in dir "extern/example.net." +2008-06-12 17:59:17.436: debug: Check RFC5011 status +2008-06-12 17:59:17.436: debug: ->ksk5011status returns 0 +2008-06-12 17:59:17.436: debug: Check ksk status +2008-06-12 17:59:17.436: debug: Re-signing not necessary! +2008-06-12 17:59:17.436: notice: end of run: 0 errors occured +2008-06-12 18:00:07.818: notice: running as ../../dnssec-signer -V extern -v -v +2008-06-12 18:00:07.819: debug: parsing zone "example.net." in dir "extern/example.net." +2008-06-12 18:00:07.819: debug: Check RFC5011 status +2008-06-12 18:00:07.819: debug: ->ksk5011status returns 0 +2008-06-12 18:00:07.819: debug: Check ksk status +2008-06-12 18:00:07.819: debug: Re-signing not necessary! +2008-06-12 18:00:07.819: notice: end of run: 0 errors occured +2008-06-12 18:00:39.019: notice: running as ../../dnssec-signer -V extern -v -v +2008-06-12 18:00:39.020: debug: parsing zone "example.net." in dir "extern/example.net." +2008-06-12 18:00:39.020: debug: Check RFC5011 status +2008-06-12 18:00:39.020: debug: ->ksk5011status returns 0 +2008-06-12 18:00:39.020: debug: Check ksk status +2008-06-12 18:00:39.020: debug: Re-signing not necessary! +2008-06-12 18:00:39.020: notice: end of run: 0 errors occured +2008-10-03 01:00:45.544: notice: ------------------------------------------------------------ +2008-10-03 01:00:45.544: notice: running ../../dnssec-signer -V extern -v -v +2008-10-03 01:00:45.545: debug: parsing zone "example.net" in dir "extern/example.net" +2008-10-03 01:00:45.545: debug: Check RFC5011 status +2008-10-03 01:00:45.545: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2008-10-03 01:00:45.545: debug: Check KSK status +2008-10-03 01:00:45.545: debug: Check ZSK status +2008-10-03 01:00:45.545: debug: Lifetime(2592000 +/-150 sec) of active key 35744 exceeded (5018328 sec) +2008-10-03 01:00:45.546: debug: ->depreciate it +2008-10-03 01:00:45.546: debug: ->activate published key 10367 +2008-10-03 01:00:45.546: notice: "example.net": lifetime of zone signing key 35744 exceeded: ZSK rollover done +2008-10-03 01:00:45.546: debug: New key for publishing needed +2008-10-03 01:00:45.614: debug: ->creating new key 14714 +2008-10-03 01:00:45.614: info: "example.net": new key 14714 generated for publishing +2008-10-03 01:00:45.614: debug: Re-signing necessary: New zone key +2008-10-03 01:00:45.614: notice: "example.net": re-signing triggered: New zone key +2008-10-03 01:00:45.614: debug: Writing key file "extern/example.net/dnskey.db" +2008-10-03 01:00:45.614: debug: Signing zone "example.net" +2008-10-03 01:00:45.614: debug: Run cmd "cd extern/example.net; /usr/local/sbin/dnssec-signzone -g -p -o example.net -e +864000 -N unixtime zone.db K*.private" +2008-10-03 01:00:46.114: debug: Cmd dnssec-signzone return: "zone.db.signed" +2008-10-03 01:00:46.114: debug: Signing completed after 1s. +2008-10-03 01:00:46.114: debug: +2008-10-03 01:00:46.114: notice: end of run: 0 errors occured diff --git a/contrib/zkt-1.1.3/examples/views/intern/example.net/zone.db b/contrib/zkt-1.1.3/examples/views/intern/example.net/zone.db new file mode 100644 index 0000000000..af4861b5da --- /dev/null +++ b/contrib/zkt-1.1.3/examples/views/intern/example.net/zone.db @@ -0,0 +1,33 @@ +;----------------------------------------------------------------- +; +; @(#) intern/example.net/zone.db +; +;----------------------------------------------------------------- + +$TTL 7200 + +@ IN SOA ns1.example.net. hostmaster.example.net. ( + 0 ; Serial + 43200 ; Refresh + 1800 ; Retry + 2W ; Expire + 7200 ) ; Minimum + + IN NS ns1.example.net. + IN NS ns2.example.net. + +ns1 IN A 192.168.1.53 + IN AAAA fd12:063c:cdbb::53 +ns2 IN A 10.1.2.3 + +localhost IN A 127.0.0.1 + +; Delegation to secure zone; The DS resource record will +; be added by dnssec-signzone automatically if the +; keyset-sub.example.net file is present (run dnssec-signzone +; with option -g or use the dnssec-signer tool) ;-) +sub IN NS ns1.example.net. + +; this file will have all the zone keys +$INCLUDE dnskey.db + diff --git a/contrib/zkt-1.1.3/examples/views/intern/example.net/zone.db.signed b/contrib/zkt-1.1.3/examples/views/intern/example.net/zone.db.signed new file mode 100644 index 0000000000..e69de29bb2 diff --git a/contrib/zkt-1.1.3/examples/views/intern/zkt-int.log b/contrib/zkt-1.1.3/examples/views/intern/zkt-int.log new file mode 100644 index 0000000000..d6d4593cd9 --- /dev/null +++ b/contrib/zkt-1.1.3/examples/views/intern/zkt-int.log @@ -0,0 +1,192 @@ +2008-06-12 18:02:13.593: notice: running as ../../dnssec-signer -V intern -v -v +2008-06-12 18:02:13.594: debug: parsing zone "example.net." in dir "intern/example.net." +2008-06-12 18:02:13.594: debug: Check RFC5011 status +2008-06-12 18:02:13.595: debug: ->ksk5011status returns 0 +2008-06-12 18:02:13.595: debug: Check ksk status +2008-06-12 18:02:13.595: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727466 sec) +2008-06-12 18:02:13.595: debug: ->waiting for pre-publish key +2008-06-12 18:02:13.595: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h17m46s: ZSK rollover deferred: waiting for pre-publish key +2008-06-12 18:02:13.595: debug: Re-signing necessary: Modified keys +2008-06-12 18:02:13.595: notice: "example.net.": re-signing triggered: Modified keys +2008-06-12 18:02:13.595: debug: Writing key file "intern/example.net./dnskey.db" +2008-06-12 18:02:13.596: debug: Signing zone "example.net." +2008-06-12 18:02:13.596: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private" +2008-06-12 18:02:13.705: debug: Cmd dnssec-signzone return: "zone.db.signed" +2008-06-12 18:02:13.705: debug: Signing completed after 0s. +2008-06-12 18:02:13.705: debug: +2008-06-12 18:02:13.705: notice: end of run: 0 errors occured +2008-06-12 18:03:13.208: notice: running as ../../dnssec-signer -V intern -r -v -v +2008-06-12 18:03:13.209: debug: parsing zone "example.net." in dir "intern/example.net." +2008-06-12 18:03:13.209: debug: Check RFC5011 status +2008-06-12 18:03:13.209: debug: ->ksk5011status returns 0 +2008-06-12 18:03:13.209: debug: Check ksk status +2008-06-12 18:03:13.209: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727526 sec) +2008-06-12 18:03:13.209: debug: ->waiting for pre-publish key +2008-06-12 18:03:13.209: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h18m46s: ZSK rollover deferred: waiting for pre-publish key +2008-06-12 18:03:13.209: debug: Re-signing not necessary! +2008-06-12 18:03:13.209: notice: end of run: 0 errors occured +2008-06-12 18:03:19.287: notice: running as ../../dnssec-signer -V intern -r -v -v +2008-06-12 18:03:19.288: debug: parsing zone "example.net." in dir "intern/example.net." +2008-06-12 18:03:19.288: debug: Check RFC5011 status +2008-06-12 18:03:19.289: debug: ->ksk5011status returns 0 +2008-06-12 18:03:19.289: debug: Check ksk status +2008-06-12 18:03:19.289: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727532 sec) +2008-06-12 18:03:19.289: debug: ->waiting for pre-publish key +2008-06-12 18:03:19.289: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h18m52s: ZSK rollover deferred: waiting for pre-publish key +2008-06-12 18:03:19.289: debug: Re-signing not necessary! +2008-06-12 18:03:19.289: notice: end of run: 0 errors occured +2008-06-12 18:03:23.617: notice: running as ../../dnssec-signer -V intern -f -r -v -v +2008-06-12 18:03:23.618: debug: parsing zone "example.net." in dir "intern/example.net." +2008-06-12 18:03:23.618: debug: Check RFC5011 status +2008-06-12 18:03:23.618: debug: ->ksk5011status returns 0 +2008-06-12 18:03:23.618: debug: Check ksk status +2008-06-12 18:03:23.618: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727536 sec) +2008-06-12 18:03:23.618: debug: ->waiting for pre-publish key +2008-06-12 18:03:23.618: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h18m56s: ZSK rollover deferred: waiting for pre-publish key +2008-06-12 18:03:23.618: debug: Re-signing necessary: Option -f +2008-06-12 18:03:23.618: notice: "example.net.": re-signing triggered: Option -f +2008-06-12 18:03:23.618: debug: Writing key file "intern/example.net./dnskey.db" +2008-06-12 18:03:23.619: debug: Signing zone "example.net." +2008-06-12 18:03:23.619: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private" +2008-06-12 18:03:23.719: debug: Cmd dnssec-signzone return: "zone.db.signed" +2008-06-12 18:03:23.719: debug: Signing completed after 0s. +2008-06-12 18:03:23.720: notice: ""example.net." in view "intern"": reload triggered +2008-06-12 18:03:23.772: debug: +2008-06-12 18:03:23.772: notice: end of run: 0 errors occured +2008-06-12 18:05:39.532: notice: running as ../../dnssec-signer -V intern -f -r -v -v +2008-06-12 18:05:39.533: debug: parsing zone "example.net." in dir "intern/example.net." +2008-06-12 18:05:39.533: debug: Check RFC5011 status +2008-06-12 18:05:39.533: debug: ->ksk5011status returns 0 +2008-06-12 18:05:39.533: debug: Check ksk status +2008-06-12 18:05:39.533: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727672 sec) +2008-06-12 18:05:39.533: debug: ->waiting for pre-publish key +2008-06-12 18:05:39.533: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h21m12s: ZSK rollover deferred: waiting for pre-publish key +2008-06-12 18:05:39.533: debug: Re-signing necessary: Option -f +2008-06-12 18:05:39.533: notice: "example.net.": re-signing triggered: Option -f +2008-06-12 18:05:39.533: debug: Writing key file "intern/example.net./dnskey.db" +2008-06-12 18:05:39.534: debug: Signing zone "example.net." +2008-06-12 18:05:39.534: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private" +2008-06-12 18:05:39.629: debug: Cmd dnssec-signzone return: "zone.db.signed" +2008-06-12 18:05:39.630: debug: Signing completed after 0s. +2008-06-12 18:05:39.630: notice: ""example.net."": reload triggered +2008-06-12 18:05:39.640: debug: +2008-06-12 18:05:39.640: notice: end of run: 0 errors occured +2008-06-12 18:07:47.753: notice: running as ../../dnssec-signer -V intern -f -r -v -v +2008-06-12 18:07:47.754: debug: parsing zone "example.net." in dir "intern/example.net." +2008-06-12 18:07:47.754: debug: Check RFC5011 status +2008-06-12 18:07:47.754: debug: ->ksk5011status returns 0 +2008-06-12 18:07:47.754: debug: Check ksk status +2008-06-12 18:07:47.754: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727800 sec) +2008-06-12 18:07:47.754: debug: ->waiting for pre-publish key +2008-06-12 18:07:47.754: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h23m20s: ZSK rollover deferred: waiting for pre-publish key +2008-06-12 18:07:47.754: debug: Re-signing necessary: Option -f +2008-06-12 18:07:47.754: notice: "example.net.": re-signing triggered: Option -f +2008-06-12 18:07:47.754: debug: Writing key file "intern/example.net./dnskey.db" +2008-06-12 18:07:47.754: debug: Signing zone "example.net." +2008-06-12 18:07:47.754: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private" +2008-06-12 18:07:47.856: debug: Cmd dnssec-signzone return: "zone.db.signed" +2008-06-12 18:07:47.856: debug: Signing completed after 0s. +2008-06-12 18:07:47.856: notice: ""example.net."": reload triggered +2008-06-12 18:07:47.866: debug: +2008-06-12 18:07:47.867: notice: end of run: 0 errors occured +2008-06-12 18:10:57.978: notice: running as ../../dnssec-signer -V intern -f -r -v -v +2008-06-12 18:10:57.978: debug: parsing zone "example.net." in dir "intern/example.net." +2008-06-12 18:10:57.978: debug: Check RFC5011 status +2008-06-12 18:10:57.978: debug: ->ksk5011status returns 0 +2008-06-12 18:10:57.978: debug: Check ksk status +2008-06-12 18:10:57.978: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17727990 sec) +2008-06-12 18:10:57.978: debug: ->waiting for pre-publish key +2008-06-12 18:10:57.978: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h26m30s: ZSK rollover deferred: waiting for pre-publish key +2008-06-12 18:10:57.978: debug: Re-signing necessary: Option -f +2008-06-12 18:10:57.978: notice: "example.net.": re-signing triggered: Option -f +2008-06-12 18:10:57.978: debug: Writing key file "intern/example.net./dnskey.db" +2008-06-12 18:10:57.979: debug: Signing zone "example.net." +2008-06-12 18:10:57.979: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private" +2008-06-12 18:10:58.081: debug: Cmd dnssec-signzone return: "zone.db.signed" +2008-06-12 18:10:58.081: debug: Signing completed after 1s. +2008-06-12 18:10:58.081: notice: ""example.net." in view "intern"": reload triggered +2008-06-12 18:10:58.093: debug: +2008-06-12 18:10:58.093: notice: end of run: 0 errors occured +2008-06-12 18:13:29.511: notice: running as ../../dnssec-signer -V intern -f -r -v -v +2008-06-12 18:13:29.512: debug: parsing zone "example.net." in dir "intern/example.net." +2008-06-12 18:13:29.512: debug: Check RFC5011 status +2008-06-12 18:13:29.512: debug: ->ksk5011status returns 0 +2008-06-12 18:13:29.512: debug: Check ksk status +2008-06-12 18:13:29.512: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17728142 sec) +2008-06-12 18:13:29.512: debug: ->waiting for pre-publish key +2008-06-12 18:13:29.512: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h29m2s: ZSK rollover deferred: waiting for pre-publish key +2008-06-12 18:13:29.512: debug: Re-signing necessary: Option -f +2008-06-12 18:13:29.512: notice: "example.net.": re-signing triggered: Option -f +2008-06-12 18:13:29.512: debug: Writing key file "intern/example.net./dnskey.db" +2008-06-12 18:13:29.513: debug: Signing zone "example.net." +2008-06-12 18:13:29.513: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private" +2008-06-12 18:13:29.612: debug: Cmd dnssec-signzone return: "zone.db.signed" +2008-06-12 18:13:29.612: debug: Signing completed after 0s. +2008-06-12 18:13:29.612: notice: ""example.net." in view "intern"": reload triggered +2008-06-12 18:13:29.612: debug: Reload zone "example.net." in view "intern" +2008-06-12 18:13:29.612: debug: Run cmd "/usr/local/sbin/rndc reload example.net. IN intern" +2008-06-12 18:13:29.623: debug: +2008-06-12 18:13:29.623: notice: end of run: 0 errors occured +2008-06-12 18:13:38.707: notice: running as ../../dnssec-signer -V intern -f -r -v +2008-06-12 18:13:38.708: debug: parsing zone "example.net." in dir "intern/example.net." +2008-06-12 18:13:38.709: debug: Check RFC5011 status +2008-06-12 18:13:38.709: debug: ->ksk5011status returns 0 +2008-06-12 18:13:38.709: debug: Check ksk status +2008-06-12 18:13:38.709: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17728151 sec) +2008-06-12 18:13:38.709: debug: ->waiting for pre-publish key +2008-06-12 18:13:38.709: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h29m11s: ZSK rollover deferred: waiting for pre-publish key +2008-06-12 18:13:38.709: debug: Re-signing necessary: Option -f +2008-06-12 18:13:38.709: notice: "example.net.": re-signing triggered: Option -f +2008-06-12 18:13:38.709: debug: Writing key file "intern/example.net./dnskey.db" +2008-06-12 18:13:38.710: debug: Signing zone "example.net." +2008-06-12 18:13:38.710: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private" +2008-06-12 18:13:39.163: debug: Cmd dnssec-signzone return: "zone.db.signed" +2008-06-12 18:13:39.163: debug: Signing completed after 1s. +2008-06-12 18:13:39.163: notice: ""example.net." in view "intern"": reload triggered +2008-06-12 18:13:39.163: debug: Reload zone "example.net." in view "intern" +2008-06-12 18:13:39.163: debug: Run cmd "/usr/local/sbin/rndc reload example.net. IN intern" +2008-06-12 18:13:39.174: debug: +2008-06-12 18:13:39.174: notice: end of run: 0 errors occured +2008-06-12 18:13:43.163: notice: running as ../../dnssec-signer -V intern -f -r -v -v +2008-06-12 18:13:43.164: debug: parsing zone "example.net." in dir "intern/example.net." +2008-06-12 18:13:43.164: debug: Check RFC5011 status +2008-06-12 18:13:43.164: debug: ->ksk5011status returns 0 +2008-06-12 18:13:43.164: debug: Check ksk status +2008-06-12 18:13:43.164: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (17728156 sec) +2008-06-12 18:13:43.164: debug: ->waiting for pre-publish key +2008-06-12 18:13:43.164: notice: "example.net.": lifetime of zone signing key 5972 exceeded since 25w4h29m16s: ZSK rollover deferred: waiting for pre-publish key +2008-06-12 18:13:43.164: debug: Re-signing necessary: Option -f +2008-06-12 18:13:43.164: notice: "example.net.": re-signing triggered: Option -f +2008-06-12 18:13:43.164: debug: Writing key file "intern/example.net./dnskey.db" +2008-06-12 18:13:43.164: debug: Signing zone "example.net." +2008-06-12 18:13:43.164: debug: Run cmd "cd intern/example.net.; /usr/local/sbin/dnssec-signzone -p -o example.net. -e +86400 -g -N unixtime zone.db K*.private" +2008-06-12 18:13:43.262: debug: Cmd dnssec-signzone return: "zone.db.signed" +2008-06-12 18:13:43.262: debug: Signing completed after 0s. +2008-06-12 18:13:43.262: notice: ""example.net." in view "intern"": reload triggered +2008-06-12 18:13:43.262: debug: Reload zone "example.net." in view "intern" +2008-06-12 18:13:43.262: debug: Run cmd "/usr/local/sbin/rndc reload example.net. IN intern" +2008-06-12 18:13:43.273: debug: +2008-06-12 18:13:43.273: notice: end of run: 0 errors occured +2008-10-03 01:00:38.404: notice: ------------------------------------------------------------ +2008-10-03 01:00:38.404: notice: running ../../dnssec-signer -V intern +2008-10-03 01:00:38.405: debug: parsing zone "example.net" in dir "intern/example.net" +2008-10-03 01:00:38.405: debug: Check RFC5011 status +2008-10-03 01:00:38.405: debug: ->not a rfc5011 zone, looking for a regular ksk rollover +2008-10-03 01:00:38.405: debug: Check KSK status +2008-10-03 01:00:38.405: debug: Check ZSK status +2008-10-03 01:00:38.405: debug: Lifetime(2592000 +/-150 sec) of active key 5972 exceeded (5018321 sec) +2008-10-03 01:00:38.405: debug: ->depreciate it +2008-10-03 01:00:38.405: debug: ->activate published key 23375 +2008-10-03 01:00:38.405: notice: "example.net": lifetime of zone signing key 5972 exceeded: ZSK rollover done +2008-10-03 01:00:38.405: debug: New key for publishing needed +2008-10-03 01:00:38.491: debug: ->creating new key 55745 +2008-10-03 01:00:38.492: info: "example.net": new key 55745 generated for publishing +2008-10-03 01:00:38.492: debug: Re-signing necessary: New zone key +2008-10-03 01:00:38.492: notice: "example.net": re-signing triggered: New zone key +2008-10-03 01:00:38.492: debug: Writing key file "intern/example.net/dnskey.db" +2008-10-03 01:00:38.492: debug: Signing zone "example.net" +2008-10-03 01:00:38.492: debug: Run cmd "cd intern/example.net; /usr/local/sbin/dnssec-signzone -g -p -o example.net -e +86400 -N unixtime zone.db K*.private" +2008-10-03 01:00:38.796: debug: Cmd dnssec-signzone return: "zone.db.signed" +2008-10-03 01:00:38.796: debug: Signing completed after 0s. +2008-10-03 01:00:38.796: debug: +2008-10-03 01:00:38.796: notice: end of run: 0 errors occured diff --git a/contrib/zkt-1.1.3/examples/views/named.conf b/contrib/zkt-1.1.3/examples/views/named.conf new file mode 100644 index 0000000000..c7034e2f5f --- /dev/null +++ b/contrib/zkt-1.1.3/examples/views/named.conf @@ -0,0 +1,97 @@ +/***************************************************************** +** +** #(@) named.conf (c) 6. May 2004 (hoz) +*****************************************************************/ + +/***************************************************************** +** logging options +*****************************************************************/ +logging { + channel "named-log" { + file "named.log"; + print-time yes; + print-category yes; + print-severity yes; + severity info; + }; + category "dnssec" { "named-log"; }; + category "edns-disabled" { "named-log"; }; + category "default" { "named-log"; }; +}; + +/***************************************************************** +** name server options +*****************************************************************/ +options { + directory "."; + + pid-file "named.pid"; + listen-on-v6 port 1053 { any; }; + listen-on port 1053 { any; }; + + empty-zones-enable no; + + port 1053; + query-source address * port 1053; + query-source-v6 address * port 1053; + transfer-source * port 53; + transfer-source-v6 * port 53; + use-alt-transfer-source no; + notify-source * port 53; + notify-source-v6 * port 53; + + recursion yes; + dnssec-enable yes; + dnssec-validation yes; /* required by BIND 9.4.0 */ + dnssec-accept-expired false; /* added since BIND 9.5.0 */ + edns-udp-size 1460; /* (M4) */ + max-udp-size 1460; /* (M5) */ + + # allow-query { localhost; }; /* default in 9.4.0 */ + # allow-query-cache { localhost; }; /* default in 9.4.0 */ + + dnssec-must-be-secure "." no; + + querylog yes; + + stats-server 127.0.0.1 port 8881; /* added since BIND 9.5.0 */ +}; + +/***************************************************************** +** view intern +*****************************************************************/ +view "intern" { + match-clients { 127.0.0.1; ::1; }; + recursion yes; + zone "." in { + type hint; + file "root.hint"; + }; + + zone "0.0.127.in-addr.arpa" in { + type master; + file "127.0.0.zone"; + }; + + zone "example.net" in { + type master; + file "intern/example.net/zone.db.signed"; + }; +}; + +/***************************************************************** +** view extern +*****************************************************************/ +view "extern" { + match-clients { any; }; + recursion no; + zone "." in { + type hint; + file "root.hint"; + }; + + zone "example.net" in { + type master; + file "extern/example.net/zone.db.signed"; + }; +}; diff --git a/contrib/zkt-1.1.3/examples/views/named.log b/contrib/zkt-1.1.3/examples/views/named.log new file mode 100644 index 0000000000..15d5f7b927 --- /dev/null +++ b/contrib/zkt-1.1.3/examples/views/named.log @@ -0,0 +1,17 @@ +20-Nov-2007 17:12:58.092 general: critical: couldn't open pid file '/var/run/named.pid': Permission denied +20-Nov-2007 17:12:58.092 general: critical: exiting (due to early fatal error) +20-Nov-2007 17:20:24.941 general: critical: couldn't open pid file '/var/run/named.pid': Permission denied +20-Nov-2007 17:20:24.941 general: critical: exiting (due to early fatal error) +20-Nov-2007 17:28:22.686 general: critical: couldn't open pid file '/var/run/named.pid': Permission denied +20-Nov-2007 17:28:22.686 general: critical: exiting (due to early fatal error) +20-Nov-2007 17:40:12.389 general: error: zone 0.0.127.in-addr.arpa/IN/intern: loading from master file 127.0.0.zone failed: file not found +20-Nov-2007 17:40:12.391 general: info: zone example.net/IN/intern: loaded serial 1195574789 (signed) +20-Nov-2007 17:40:12.393 general: info: zone example.net/IN/extern: loaded serial 1195561217 (signed) +20-Nov-2007 17:40:12.393 general: notice: running +20-Nov-2007 17:40:12.393 notify: info: zone example.net/IN/intern: sending notifies (serial 1195574789) +20-Nov-2007 17:40:12.394 notify: info: zone example.net/IN/extern: sending notifies (serial 1195561217) +20-Nov-2007 19:07:04.016 general: info: shutting down +20-Nov-2007 19:07:04.017 network: info: no longer listening on ::#1053 +20-Nov-2007 19:07:04.017 network: info: no longer listening on 127.0.0.1#1053 +20-Nov-2007 19:07:04.017 network: info: no longer listening on 145.253.100.51#1053 +20-Nov-2007 19:07:04.020 general: notice: exiting diff --git a/contrib/zkt-1.1.3/examples/views/root.hint b/contrib/zkt-1.1.3/examples/views/root.hint new file mode 100644 index 0000000000..2b5c167a31 --- /dev/null +++ b/contrib/zkt-1.1.3/examples/views/root.hint @@ -0,0 +1,45 @@ +; <<>> DiG 9.5.0a6 <<>> ns . @a.root-servers.net +;; global options: printcmd +;; Got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33355 +;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13 +;; WARNING: recursion requested but not available + +;; QUESTION SECTION: +;. IN NS + +;; ANSWER SECTION: +. 518400 IN NS H.ROOT-SERVERS.NET. +. 518400 IN NS I.ROOT-SERVERS.NET. +. 518400 IN NS J.ROOT-SERVERS.NET. +. 518400 IN NS K.ROOT-SERVERS.NET. +. 518400 IN NS L.ROOT-SERVERS.NET. +. 518400 IN NS M.ROOT-SERVERS.NET. +. 518400 IN NS A.ROOT-SERVERS.NET. +. 518400 IN NS B.ROOT-SERVERS.NET. +. 518400 IN NS C.ROOT-SERVERS.NET. +. 518400 IN NS D.ROOT-SERVERS.NET. +. 518400 IN NS E.ROOT-SERVERS.NET. +. 518400 IN NS F.ROOT-SERVERS.NET. +. 518400 IN NS G.ROOT-SERVERS.NET. + +;; ADDITIONAL SECTION: +A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4 +B.ROOT-SERVERS.NET. 3600000 IN A 192.228.79.201 +C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12 +D.ROOT-SERVERS.NET. 3600000 IN A 128.8.10.90 +E.ROOT-SERVERS.NET. 3600000 IN A 192.203.230.10 +F.ROOT-SERVERS.NET. 3600000 IN A 192.5.5.241 +G.ROOT-SERVERS.NET. 3600000 IN A 192.112.36.4 +H.ROOT-SERVERS.NET. 3600000 IN A 128.63.2.53 +I.ROOT-SERVERS.NET. 3600000 IN A 192.36.148.17 +J.ROOT-SERVERS.NET. 3600000 IN A 192.58.128.30 +K.ROOT-SERVERS.NET. 3600000 IN A 193.0.14.129 +L.ROOT-SERVERS.NET. 3600000 IN A 199.7.83.42 +M.ROOT-SERVERS.NET. 3600000 IN A 202.12.27.33 + +;; Query time: 114 msec +;; SERVER: 198.41.0.4#53(198.41.0.4) +;; WHEN: Mon Nov 5 07:28:00 2007 +;; MSG SIZE rcvd: 436 + diff --git a/contrib/zkt-1.1.3/examples/views/viewtest.sh b/contrib/zkt-1.1.3/examples/views/viewtest.sh new file mode 100644 index 0000000000..f0a17543ac --- /dev/null +++ b/contrib/zkt-1.1.3/examples/views/viewtest.sh @@ -0,0 +1,20 @@ + + +ZKT_CONFFILE=dnssec.conf +export ZKT_CONFFILE + +if true +then + echo "All internal keys:" + ./dnssec-zkt-intern + echo + + echo "All external keys:" + ./dnssec-zkt-extern + echo +fi + +echo "Sign both views" +./dnssec-signer-intern -v -v -f -r +echo +./dnssec-signer-extern -v -v