-
-
Save jpmens/042ab5452bc17ebc09b2968614b4862a to your computer and use it in GitHub Desktop.
knot test revocation III
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Knot, try revocation III | |
[root@ods knot]# pwd | |
/usr/local/knotrev/etc/knot | |
[root@ods knot]# # rm -rf ../../var/lib/knot/* | |
[root@ods knotrev]# keymgr example.com. generate algorithm=8 size=1024 ksk=no | |
2f7e102251d5589ab674ed0bb9c0505ba07ee078 | |
[root@ods knotrev]# keymgr example.com. generate algorithm=8 size=2048 ksk=yes | |
1ef2baf93933d25f304069427bed34938ada5543 | |
[root@ods knotrev]# knotc -b reload | |
Reloaded | |
** I add another key | |
[root@ods knotrev]# keymgr example.com. generate algorithm=8 size=2048 ksk=yes | |
27abf5cf726c1ee9d72a1d1498b8cd14b1d25cc3 | |
[root@ods knotrev]# keymgr example.com list | |
1ef2baf93933d25f304069427bed34938ada5543 ksk=yes zsk=no tag=09976 algorithm=8 size=2048 public-only=no pre-active=0 publish=1595695114 ready=1595695114 active=1595695114 retire-active=0 retire=0 post-active=0 revoke=0 remove=0 | |
27abf5cf726c1ee9d72a1d1498b8cd14b1d25cc3 ksk=yes zsk=no tag=21790 algorithm=8 size=2048 public-only=no pre-active=0 publish=1595695142 ready=1595695142 active=1595695142 retire-active=0 retire=0 post-active=0 revoke=0 remove=0 | |
2f7e102251d5589ab674ed0bb9c0505ba07ee078 ksk=no zsk=yes tag=45025 algorithm=8 size=1024 public-only=no pre-active=0 publish=1595695102 ready=0 active=1595695102 retire-active=0 retire=0 post-active=0 revoke=0 remove=0 | |
** 21790 is the new, 09976 the old | |
[root@ods knotrev]# knotc -b reload | |
Reloaded | |
** I see the DNSKEY RRset signed by both | |
;; ANSWER SECTION: | |
example.com. 3600 IN DNSKEY 257 3 8 ( | |
AwEAAaydhne/z5EwMRvT1MxcHorlCMjbA5Iv8V3r | |
vrweDL/vG/U+Q6lqxwV4ndKJB99V76eLYwwGMS9k | |
ZPfbjrrelG7JIipqvUSFdvw/Yl6u49qNxtP2orP+ | |
02ZqJjLp4d877M1eRsMkY4Xj6L2Fu60u9zpgMIzM | |
nUzrZ09qTeULkat/8IO59tLfqgO5TqijweSozH2T | |
b13Q5E0uxWbMcPiDeBDezCLx2WNmzL2B1gn+tLhB | |
8vTzExVHjt3JYXTPhG1ozRydybkeelem6n4mOAVN | |
s8enD9Fti2Tqny/aJnspi2+Tumk488x1sY5Ea9/V | |
8b2aFK8OeT0MlWwpVVGacbOoU20= | |
) ; KSK, RSASHA256 (2048b), id = 21790 | |
example.com. 3600 IN DNSKEY 257 3 8 ( | |
AwEAAcQbt9aCQA7bzkiY34UsOtjlc+MsGTkWia4e | |
Dajwf+05ESYNPYvueGTnOGtgkkqfzKLCqoQBnagO | |
wzSj6xcThmVgehbQ38mz+3kwK0aPI5h9msKNiLc2 | |
DlyMT0dGNpA5Hn9TF3TcBq/nnZDQ2SlolkfrJgm4 | |
QM399nxdZG0gY0qoIbHUWxhS7nhCJH/lNT0aU1EP | |
umdxH+WNVYA+8nUfz/Hus6pps8PhvUtr/Gr8rItP | |
X53M+ILATaTTCk3VJbGAoADQw2NYUVqKb/iGxc4T | |
Bfd8AgNNEhkCLNfeV6GjWITXbiDf+ZZRPV7mp2Sv | |
QrpbQF24fCHfm/ei1Zt52pGdByk= | |
) ; KSK, RSASHA256 (2048b), id = 9976 | |
example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20200808164008 ( | |
20200725151008 9976 example.com. | |
OTwPOHRRh0WOwIf3RLQDkcxM+dEEYfG3uHfy5Z6F | |
FJYO71JkPrMGgi5vR3aZClkADQ8Ncd+MvfMuzTB8 | |
hXOa/SUFDcwf0cX2eO0uZQy1SKfFSnqmMarpr37v | |
Bd9xCy7WthsVg/6FjkkOZaPHI6hyQgjVQjeiIv5m | |
raFP9XILCzg8FTVZumh99pbC3BuQ9YtyjqoNz9oF | |
xB1IsEw2iabeowJqQIorm2BV9n0MpmOWEHaAZzov | |
uLY4O2FaaSs0vfT7kNrpv/CXvv26JCh7amwuYbjE | |
qAXkq+2Zscc9gARUIF89DHKKtDv70Hp3tB/ykS54 | |
QB1uTA2sQGlYJN/9AXC+4g== | |
) | |
example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20200808164008 ( | |
20200725151008 21790 example.com. | |
dR9LxHmDVVAfBAuY7TORnHIlhpGBsUcN0j3p2rcu | |
m6JACKP6VxZY9d216Xv7jgS6bToBVPuaRv9GMNje | |
k2NpWgG4ZIh1y2iKXdHrX+EN7+On980b8UsEaSZg | |
JIAL2q40XdftuD6hKDFte4MZEueoYoJJsEJQruCZ | |
0T3vrZHUcwFm9X+lxNvin4SWNYjNgY+RX7xrc81A | |
I/ualn6S/lGJTBgGVs5eSRHrprMDlehCZHjqnjVQ | |
1QI4acmZS97oJgF1RzF6WR7ZnQ+zGJk0F3ETbC4b | |
IcVHqVV/vJcrQIk6Y2UlFE1VxY9qs0QaXb1k0ezm | |
oUL+r/SGzSjYAdfKbFQjyw== | |
) | |
** I set revocation flag | |
[root@ods knotrev]# keymgr example.com set 09976 revoke=+1mi | |
OK | |
[root@ods knotrev]# knotc -b reload | |
Reloaded | |
2020-07-25T16:42:03 info: configuration reloaded | |
2020-07-25T16:42:03 info: [example.com.] DNSSEC, signing zone | |
2020-07-25T16:42:03 info: [example.com.] DNSSEC, key, tag 9976, algorithm RSASHA256, KSK, public, active | |
2020-07-25T16:42:03 info: [example.com.] DNSSEC, key, tag 21790, algorithm RSASHA256, KSK, public, active | |
2020-07-25T16:42:03 info: [example.com.] DNSSEC, key, tag 45025, algorithm RSASHA256, public, active | |
2020-07-25T16:42:03 info: [example.com.] DNSSEC, signing started | |
2020-07-25T16:42:03 info: [example.com.] DNSSEC, zone is up-to-date | |
2020-07-25T16:42:03 info: [example.com.] DNSSEC, next signing at 2020-07-25T16:42:56 | |
2020-07-25T16:42:56 info: [example.com.] DNSSEC, signing zone | |
2020-07-25T16:42:56 info: [example.com.] DNSSEC, key, tag 21790, algorithm RSASHA256, KSK, public, active | |
2020-07-25T16:42:56 info: [example.com.] DNSSEC, key, tag 10104, algorithm RSASHA256, KSK, public, active+ | |
2020-07-25T16:42:56 info: [example.com.] DNSSEC, key, tag 45025, algorithm RSASHA256, public, active | |
2020-07-25T16:42:56 info: [example.com.] DNSSEC, signing started | |
2020-07-25T16:42:56 info: [example.com.] DNSSEC, successfully signed | |
2020-07-25T16:42:56 info: [example.com.] DNSSEC, next signing at 2020-08-01T16:38:45 | |
2020-07-25T16:42:56 info: [example.com.] zone file updated, serial 2010111218 -> 2010111219 | |
** finally: a new key tag: s/09976/10104/ | |
example.com. 3600 IN DNSKEY 257 3 8 ( | |
AwEAAaydhne/z5EwMRvT1MxcHorlCMjbA5Iv8V3r | |
vrweDL/vG/U+Q6lqxwV4ndKJB99V76eLYwwGMS9k | |
ZPfbjrrelG7JIipqvUSFdvw/Yl6u49qNxtP2orP+ | |
02ZqJjLp4d877M1eRsMkY4Xj6L2Fu60u9zpgMIzM | |
nUzrZ09qTeULkat/8IO59tLfqgO5TqijweSozH2T | |
b13Q5E0uxWbMcPiDeBDezCLx2WNmzL2B1gn+tLhB | |
8vTzExVHjt3JYXTPhG1ozRydybkeelem6n4mOAVN | |
s8enD9Fti2Tqny/aJnspi2+Tumk488x1sY5Ea9/V | |
8b2aFK8OeT0MlWwpVVGacbOoU20= | |
) ; KSK, RSASHA256 (2048b), id = 21790 | |
example.com. 3600 IN DNSKEY 385 3 8 ( | |
AwEAAcQbt9aCQA7bzkiY34UsOtjlc+MsGTkWia4e | |
Dajwf+05ESYNPYvueGTnOGtgkkqfzKLCqoQBnagO | |
wzSj6xcThmVgehbQ38mz+3kwK0aPI5h9msKNiLc2 | |
DlyMT0dGNpA5Hn9TF3TcBq/nnZDQ2SlolkfrJgm4 | |
QM399nxdZG0gY0qoIbHUWxhS7nhCJH/lNT0aU1EP | |
umdxH+WNVYA+8nUfz/Hus6pps8PhvUtr/Gr8rItP | |
X53M+ILATaTTCk3VJbGAoADQw2NYUVqKb/iGxc4T | |
Bfd8AgNNEhkCLNfeV6GjWITXbiDf+ZZRPV7mp2Sv | |
QrpbQF24fCHfm/ei1Zt52pGdByk= | |
) ; KSK, RSASHA256 (2048b), id = 10104 | |
example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20200808164256 ( | |
20200725151256 10104 example.com. | |
kF288e6D/JfuFsiSJUaFweVX9fLPmaTPxVEbl9N0 | |
ni3LMnpxHSc5NEudRAfgEe3Q8cRhxJIkcsoGWfBV | |
k0l2Z+0olvNlAPEMnE5SqsCOD23LgqV57rt9HOX6 | |
WuFHIyViFDtjQRxdXLTIMQzrG1nFpiEJiQUsUUF2 | |
4cpZTjijs4uwUd4jgrqBYWjdIPOq56suSVSVXzlz | |
sEjF9B4gKrnj4CcQjzQ8DHluqxSgjX08V68wf/sP | |
4yrYNH8eFvjEonw8kTT6PFzm7fxFmCHt2eTaYnLK | |
+fg0s8wK3ajbj25CovWHNPX72UKXqA1iUlDQbh78 | |
WhyDJ82Bi1PQb6g5lq3IEg== | |
) | |
example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20200808164256 ( | |
20200725151256 21790 example.com. | |
MqFIpEKiZZ+9/UAlt2hM3+HjxW4LwiXhjNGBQcVm | |
K7Ak/qNOpSqhoLnDcKKuI+ub+MU05ToNQ/JrWHLm | |
xUki6t69PYTlsU5CFOEfE4MqJgqTyIgOuG31AvPv | |
JtV1qJl4vzLWAgdrY8p2HFZuto5pGDjgoa43/aEf | |
wpUKltTqh2Kc9SfLvp27GUHyuRswCBN7D8cX+PWf | |
3I/yv5za92VxBeBbg1ByjcifNQRGYMTaOE44glwL | |
WivzETk5THtAzWqAa8ebR2aECYB1tVs9gU/sP9hd | |
gyerXVa/3XeLjtuYRi2MriVdKJK9X93mD/xB/hTP | |
Q8mVbwKNUlCHsPNQsfYCxg== | |
) | |
[root@ods knotrev]# keymgr example.com list | |
[root@ods knotrev]# keymgr example.com list iso | |
1ef2baf93933d25f304069427bed34938ada5543 ksk=yes zsk=no tag=09976 algorithm=8 size=2048 public-only=no pre-active=1970-01-01T00:00:00Z publish=2020-07-25T16:38:34Z ready=2020-07-25T16:38:34Z active=2020-07-25T16:38:34Z retire-active=1970-01-01T00:00:00Z retire=1970-01-01T00:00:00Z post-active=1970-01-01T00:00:00Z revoke=2020-07-25T16:42:56Z remove=1970-01-01T00:00:00Z | |
27abf5cf726c1ee9d72a1d1498b8cd14b1d25cc3 ksk=yes zsk=no tag=21790 algorithm=8 size=2048 public-only=no pre-active=1970-01-01T00:00:00Z publish=2020-07-25T16:39:02Z ready=2020-07-25T16:39:02Z active=2020-07-25T16:39:02Z retire-active=1970-01-01T00:00:00Z retire=1970-01-01T00:00:00Z post-active=1970-01-01T00:00:00Z revoke=1970-01-01T00:00:00Z remove=1970-01-01T00:00:00Z | |
2f7e102251d5589ab674ed0bb9c0505ba07ee078 ksk=no zsk=yes tag=45025 algorithm=8 size=1024 public-only=no pre-active=1970-01-01T00:00:00Z publish=2020-07-25T16:38:22Z ready=1970-01-01T00:00:00Z active=2020-07-25T16:38:22Z retire-active=1970-01-01T00:00:00Z retire=1970-01-01T00:00:00Z post-active=1970-01-01T00:00:00Z revoke=1970-01-01T00:00:00Z remove=1970-01-01T00:00:00Z | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment