dnssec-policy - any way to force bind to resign all records ?

[vom513]

Hello,

I changed one of my domains over to dnssec-policy today (in a “nuclear” fashion) - but everything went surprisingly well.  Previous to this, I had lowered all my TTLs to hopefully help with this process or any errors/mistakes I might make.

I then went to put the TTLs back to their normal higher value.  What I wasn’t aware of - is the now discrepancy between the RR TTL and RRSIG TTL.  DNZviz validates all the way down just fine - but I get errors on my top level common RR’s due to this mismatch.

I assume over time as BIND resigns nodes, these will all get in sync ?

In the meantime - is there any way to “force” BIND to resign everything ?  I’m not seeing an rndc command that looks to do this.  Looks like all the dnssec policy commands are under “rndc dnssec <option>”.  The other commands are obviously for the “old” way of signing.

So is there a way to do this ?  Or do I just need to wait ?

Thanks.