"auto-dnssec maintain;" and key "missing or inactive and has no replacement"

Wed Jul 24 09:29:15 UTC 2013

I'm trying "auto-dnssec maintain;" with a BIND 9.9.3-P1. My
configuration is:

options {
        directory "/tmp/bind";
	key-directory "/tmp/bind"; 
};

zone "example" {
        type master;
        file "example";
	inline-signing yes;
        auto-dnssec maintain;
};

Apparently, everything works. The key I created and put in /tmp/bind
is used, the zone is signed, everyone is happy.

But I get messages:

24-Jul-2013 07:39:25.480 zone example/IN (signed): Key example/RSASHA256/46747 missing or inactive and has no replacement: retaining signatures.

Which I do not understand. They key is there:

% ls -lt /tmp/bind/Kexample.+008+46747*
-rw-r--r-- 1 bortzmeyer bortzmeyer  597 Jul 23 12:02 /tmp/bind/Kexample.+008+46747.key
-rw------- 1 bortzmeyer bortzmeyer 1776 Jul 23 12:02 /tmp/bind/Kexample.+008+46747.private

And is certainly active:

% cat /tmp/bind/Kexample.+008+46747.key 
; This is a key-signing key, keyid 46747, for example.
; Created: 20130723100005 (Tue Jul 23 12:00:05 2013)
; Publish: 20130723100005 (Tue Jul 23 12:00:05 2013)
; Activate: 20130723070226 (Tue Jul 23 09:02:26 2013)
...

And, despite the message "retaining signatures", signatures *are*
regenerated periodically, even after the warning:

example.		600 IN RRSIG DNSKEY 8 1 600 20130725045802 (
				20130724043925 46747 example.
				rkNJdCp8PV3PzEsVc6efh/mBY3eHZcL3712ELD2g7gte
...