Strange tiny time limit RRSIG
Paul Wouters
paul at xelerance.com
Fri Aug 14 03:38:40 UTC 2009
Hi,
I'm running into a strange issue where when signing a zone with
re-using signatures, that sometimes 1 RRSIG record ends up with
a validity time of almost nothing. This happens for instance when
signing (and re-using sigs) using "-i 1296000 -e +2592000 -j 2592000"
as part of the dnssec-signzone command.
I am not entirely sure, but it seems this might be a "one error per zone"
as I've never seen more then one of these signatures. Wether I'm signing
a zone with 10 entries or 1.2M entries.
This can be seen by running the same dnssec-signzone command twice
in row. A warning then sometimes appears stating "warning signature
has expired"
This is using bind 9.6.1
Paul
More information about the bind-users
mailing list