error when removing expired key files
Gordon Messmer
gordon.messmer at gmail.com
Tue May 9 04:52:03 UTC 2017
On 05/08/2017 03:22 AM, Tony Finch wrote:
> Gordon Messmer <gordon.messmer at gmail.com> wrote:
>> After new keys are introduced, and after the old key has expired,
> Wait right there!
>
> dnssec-settimes has two times that are usually relevant to the old key
> when rolling keys: the retire time and the delete time. (There's also a
> revocation time but we don't need to worry about that now.)
>
> There isn't a key expire time.
Yes, sorry. I'm removing the key file shortly after the "deleted" date.
I think the problem is probably that I'm not waiting long enough. I
need to give bind at least one hour, so that it passes its "next key
event", right?
> You might also want to take a look at the dnssec-keymgr utility:
> https://ftp.isc.org/isc/bind9/9.11.1/doc/arm/man.dnssec-keymgr.html
That looks great. Red Hat is shipping bind 9.9, so I hadn't seen it.
I'd imagine it doesn't actually depend on any 9.11 features, and can run
on bind 9.9?
More information about the bind-users
mailing list