Seeking Advice on DNSSEC Algorithm Rollover
Alexander Gurvitz
alex at net-me.net
Sun Jun 24 06:02:12 UTC 2012
Hello.
I don't think that bind trying to sign with non-existent key will do any
harm - probably just warning.
But it's simpler - change metadata of the key - set deletion time to the
time you want the key to be deleted (like DS deletion time+TTL).
Bind with auto-dnnsec allow re-reads the metadata and should remove the key
and all the signatures at that time.
You don't need nsupdate nor update-policy for that.
Regards,
Alexander Gurvitz,
net-me.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120624/a0859f59/attachment.html>
More information about the bind-users
mailing list