dnssec-policy - any way to force bind to resign all records ?
vom513
vom513 at gmail.com
Fri Dec 16 00:20:59 UTC 2022
Hello,
I changed one of my domains over to dnssec-policy today (in a “nuclear” fashion) - but everything went surprisingly well. Previous to this, I had lowered all my TTLs to hopefully help with this process or any errors/mistakes I might make.
I then went to put the TTLs back to their normal higher value. What I wasn’t aware of - is the now discrepancy between the RR TTL and RRSIG TTL. DNZviz validates all the way down just fine - but I get errors on my top level common RR’s due to this mismatch.
I assume over time as BIND resigns nodes, these will all get in sync ?
In the meantime - is there any way to “force” BIND to resign everything ? I’m not seeing an rndc command that looks to do this. Looks like all the dnssec policy commands are under “rndc dnssec <option>”. The other commands are obviously for the “old” way of signing.
So is there a way to do this ? Or do I just need to wait ?
Thanks.
More information about the bind-users
mailing list