Seeking Advice on DNSSEC Algorithm Rollover
alex at net-me.net
Sun Jun 24 06:02:12 UTC 2012
I don't think that bind trying to sign with non-existent key will do any
harm - probably just warning.
But it's simpler - change metadata of the key - set deletion time to the
time you want the key to be deleted (like DS deletion time+TTL).
Bind with auto-dnnsec allow re-reads the metadata and should remove the key
and all the signatures at that time.
You don't need nsupdate nor update-policy for that.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users