DNSKEY and RRSIG DNSKEY TTL values aren't changed after changing of zone's TTL

[Александр Остапенко]

Thanks for a workaround. But in this case - after "dnssec-settime -L ttl" I
need unsign/sign zone (p.1 of steps above) in order to new TTL value
appeared in DNSKEY RRset ("service bind9 reload" or "rndc loadkeys" has no
effect). But I would like to find a solution without the need of
unsigning/signing cycle.
Besides, the question is: this is a bug? Or this behavior is caused by some
rules or restrictions?

С уважением,
Александр Остапенко

2016-08-16 8:59 GMT+07:00 Mark Andrews <marka at isc.org>:

>
> In message <CAMUgSQDxY_BnEgnAe4eQpoV_cHb7ScZ=qxT_-4CVW3nLokctag@
> mail.gmail.com>
> , =?UTF-8?B?0JDQu9C10LrRgdCw0L3QtNGAINCe0YHRgtCw0L/QtdC90LrQvg==?= writes:
> > Hello.
> >
> > I'm using BIND 9.9.5.
> > My steps:
> >
> >    1. Sign zone using one 1 ZSK and 2 KSK:  a) adding "*auto-dnssec
> >    maintain;*" and "*inline-signing yes;*" directive into zone section of
> >    named.conf;  b) setting publication and activation timestamps to
> current
> >    time in key files;  c) *rndc reload*.
> >    2. Change TTL value in the zone file ($TTL 86400   ==>  $TTL 432000).
> >    3. Increase serial number in SOA record by 1.
> >    4. *rndc reload*.
> >
> > After that - DNSKEY and RRSIG DNSKEY records still have 86400 value in
> TTL
> > (checked via *dig*).
> > What could be the reason for such behavior?
> >
> >
> > Kind regards,
> > Aleks Ostapenko
>
> Use "dnssec-settime -L ttl"
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160816/74df90dc/attachment.html>