zsk rollover

[Mark Andrews]

> On 26 Feb 2020, at 08:40, Alan Batie <alan at peak.org> wrote:
> 
> On 2/25/20 1:30 PM, Mark Andrews wrote:
>> Firstly unset the deletion date for the old key.   It is way
>> too early for incremental re-signing.  Named replaces RRSIG
>> *as-they-fall-due* for re-signing.  With the defaults that
>> takes 22.5 days with a sig-validity-interval of 30 days.
>> 
>> All Inactivation does is STOP named signing records with that
>> key.  It does NOT cause old RRSIGs to be replaced.  This is
>> deliberate.
>> 
>> You are using offline signing timings where everything in the
>> zone is re-signed at once.  To use the offline time model just
>> use 22.5 days as the time to sign the zone rather than the fictional
>> 0 seconds.
> 
> I'm supposedly using inline-signing:
>        auto-dnssec maintain;
>        inline-signing yes;
> 
> I set the time as short as I could as I really don't want to wait a
> month to see the rollover happen, but I suspect (and I think that's what
> you said above) it's the date in the rrsig record that actually matters.

You could set "sig-validity-interval to 30 29;” if you want to see things happen
faster.  This causes the RRSIGs to have a 30 day validity interval and be re-signed
29 days before that expires.

Remember with DNSSEC you never move onto the next step without checking that the
last step completed first.  The next step can always be stalled.  This applies to both
online and offline signing.  There are lots of “wait until xxx” in DNSSEC maintenance.
Don’t schedule multiple steps at once.  Even with a single machine unexpected events
can happen.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org