ZSK rollover detail needed.
Mark Andrews
marka at isc.org
Fri Feb 19 00:36:01 UTC 2016
In message <201602181942.u1IJgrKF001916 at dolphin.adi.com>, Thomas Schulz writes:
> A recommended way to set up a ZSK rollover is to set the inactive date of
> the current key one month later than the publish date of the replacement key.
> This makes sense as the RRSIG records are created to last one month from
> their creation date.
> Now if I try to speed up the ZSK rollover to make the old ZSK inactive
> a few days after the replacement key is created (and make the replacement
> key active at that time), will Bind start makeing new RRSIG records at that
> time even though the current RRSIG records may have weeks to go.
Named will replace RRSIG records as they fall due for re-signing.
The key(s) used to re-sign them depend upon which ones are marked
active at that time. Named will not proactively replace RRSIG
records unless explictly told to via rndc.
> Tom Schulz
> Applied Dynamics Intl.
> schulz at adi.com
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list