git.ipfire.org Git - thirdparty/bind9.git/commit

author	Matthijs Mekking <matthijs@isc.org>
	Fri, 3 Dec 2021 15:18:13 +0000 (16:18 +0100)
committer	Matthijs Mekking <matthijs@isc.org>
	Thu, 6 Jan 2022 08:32:32 +0000 (09:32 +0100)
commit	2d2858841a8a749792f50ff077d03cf50f730981
tree	60a0a2bcfc124f4d5f6a3d659475aa20bed444f8	tree \| snapshot
parent	bb76fb193783d05566e77f4f9ed9e1d716fbbb1d	commit \| diff

Only warn if we could not delete signature

BIND can log this warning:

zone example.ch/IN (signed): Key example.ch/ECDSAP256SHA256/56340
missing or inactive and has no replacement: retaining signatures.

This log can happen when BIND tries to remove signatures because the
are about to expire or to be resigned. These RRsets may be signed with
the KSK if the ZSK files has been removed from disk. When we have
created a new ZSK we can replace the signatures creeated by the KSK
with signatures from the new ZSK.

It complains about the KSK being missing or inactive, but actually it
takes the key id from the RRSIG.

The warning is logged if BIND detects the private ZSK file is missing.

The warning is logged even if we were able to delete the signature.

With the change from this commit it only logs this warning if it is not
okay to delete the signature.