Strange tiny time limit RRSIG

Paul Wouters paul at
Fri Aug 14 03:38:40 UTC 2009


I'm running into a strange issue where when signing a zone with
re-using signatures, that sometimes 1 RRSIG record ends up with
a validity time of almost nothing. This happens for instance when
signing (and re-using sigs) using "-i 1296000  -e +2592000 -j 2592000"
as part of the dnssec-signzone command.

I am not entirely sure, but it seems this might be a "one error per zone"
as I've never seen more then one of these signatures. Wether I'm signing
a zone with 10 entries or 1.2M entries.

This can be seen by running the same dnssec-signzone command twice
in row. A warning then sometimes appears stating "warning signature
has expired"

This is using bind 9.6.1


More information about the bind-users mailing list