dnssec-policy - any way to force bind to resign all records ?

[vom513]

Sorry to self-reply…

I’m still getting used to dnssec-policy.  With the RRSIGs directly in the zone file now I was having some trouble.  I think I got it now - I needed to change the TTL on a given RR, and delete the RRSIG for that RR.  Lather, rinse, repeat for any/all other RR’s.  BIND will make new RRSIGs for these “new” RRs (new by virtue of having a diff TTL and no RRSIG…)  I think it makes sense now - but I welcome any other clarification or comments.  

Sorry for the noise.  Thanks.