auto-dnssec maintain and DNSKEY removal

Mathew Ian Eis Mathew.Eis at nau.edu
Fri Jul 15 16:56:05 UTC 2016 

>    I'm not sure how what you are asking for is different from the default.

Indeed, that’s what I get for reading an outdated version of the documentation! (which didn’t mention the second field) Looks like it does everything I want…

Thanks again,

-Mathew Eis

-----Original Message-----
From: Tony Finch <dot at dotat.at>
Date: Thursday, July 14, 2016 at 3:17 AM
To: Mathew Eis <Mathew.Eis at nau.edu>
Cc: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
Subject: Re: auto-dnssec maintain and DNSKEY removal

    Mathew Ian Eis <Mathew.Eis at nau.edu> wrote:
    >
    > sig-validity-interval seems to only affect the expiration date of newly
    > created signatures, and of course signatures are only rolling over to
    > new keys as they expire.
    >
    > I am wondering if I can ask bind to set the expiration for, say 30 days
    > out, but when a new key is published, publish all signatures with the
    > new key sooner, say, a week before the previous ones expire.
    
    I'm not sure how what you are asking for is different from the default.
    
    Here's what the ARM says (slightly edited for clarity):
    
    : sig-validity-interval specifies the number of days into the future when
    : automatically generated DNSSEC signatures will expire. There is an
    : optional second field which specifies how long before expiry that the
    : signatures will be regenerated. The second field is specified in days if
    : the base interval is greater than 7 days otherwise it is specified in
    : hours. If not specified, the signatures will be regenerated at 1/4 of
    : base interval. The default base interval is 30 days giving a re-signing
    : interval of 7 1/2 days.
    
    So typically you would use dnssec-settime to retire the old key and
    activate the new key at the same time (so you don't have multiple RRSIGs
    per RRset). After this time it will take 22.5 days to replace all the
    signatures, so the old signatures will all be gone 7.5 days before the
    last one expires.
    
    I've set my servers for faster RRSIG turnover, sig-validity-interval 10 8,
    so all signatures are replaced every 2 days, and the 8 day grace period is
    a bit longer than the 7 day SOA expire time.
    
    Tony.
    -- 
    f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
    South Utsire: Northwesterly 5 to 7, perhaps gale 8 later. Moderate or rough.
    Showers. Good.

More information about the bind-users mailing list