zsk rollover
Alan Batie
alan at peak.org
Tue Feb 25 21:40:15 UTC 2020
On 2/25/20 1:30 PM, Mark Andrews wrote:
> Firstly unset the deletion date for the old key. It is way
> too early for incremental re-signing. Named replaces RRSIG
> *as-they-fall-due* for re-signing. With the defaults that
> takes 22.5 days with a sig-validity-interval of 30 days.
>
> All Inactivation does is STOP named signing records with that
> key. It does NOT cause old RRSIGs to be replaced. This is
> deliberate.
>
> You are using offline signing timings where everything in the
> zone is re-signed at once. To use the offline time model just
> use 22.5 days as the time to sign the zone rather than the fictional
> 0 seconds.
I'm supposedly using inline-signing:
auto-dnssec maintain;
inline-signing yes;
I set the time as short as I could as I really don't want to wait a
month to see the rollover happen, but I suspect (and I think that's what
you said above) it's the date in the rrsig record that actually matters.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4036 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200225/b48d8351/attachment-0001.bin>
More information about the bind-users
mailing list