Exercising RFC 5011 rollovers
Evan Hunt
each at isc.org
Tue Jan 10 00:07:35 UTC 2012
On Mon, Jan 09, 2012 at 09:40:51PM +0000, Chris Thompson wrote:
> | If the resolver ever sees the DNSKEY RRSet without the new key but
> | validly signed, it stops the acceptance process for that key and
> | resets the acceptance timer.
>
> What BIND does is to retain the entry for the new key in managed-keys.bind
> but every time it notices that it is no longer published it sets the
> KEYDATA.addhd field 30 days in the future. Thus it will never get accepted
> as a trust anchor.
>
> That seems to satisfy the letter of the law, but it does mean that
> managed-keys.bind remains cluttered with such keys.
You have a point. I don't remember making that particular design decision,
but I probably just didn't think about it. "Reset the acceptance timer"
implies the existence of a timer; if I'd deleted the key, there wouldn't
be a timer to reset. :)
Feel free to open a ticket at bind9-bugs at isc.org. It's not likely to be
a particularly high-priority fix, though.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list