auto-dnssec resign timers

Tony Finch dot at
Fri Sep 17 10:15:27 UTC 2010

On 17 Sep 2010, at 10:44, Niobos <niobos at> wrote:
> In my opinion, BIND should have resigned this by now: The signature is
> valid until a little over 2 days. This means that if the slave would
> loose contact with the master right now, it will give out signatures
> that will expire before their TTL does.
> According to my calculations, RRSIGs should be regenerated zone-expire +
> RR-ttl seconds before the RRSIG expires.

You have to manually set the zone expiry time, TTLs, signature lifetime, and re-signing time consistently.

The documentation for 9.7.1 says:


Specifies the number of days into the future when DNSSEC signatures automatically generated as a result of dynamic updates (the section called “Dynamic Update”) will expire. There is an optional second field which specifies how long before expiry that the signatures will be regenerated. If not specified, the signatures will be regenerated at 1/4 of base interval. The second field is specified in days if the base interval is greater than 7 days otherwise it is specified in hours. The default base interval is 30 days giving a re-signing interval of 7 1/2 days. The maximum values are 10 years (3660 days).

The signature inception time is unconditionally set to one hour before the current time to allow for a limited amount of clock skew.

The sig-validity-interval should be, at least, several multiples of the SOA expire interval to allow for reasonable interaction between the various timer and expiry dates.

f.anthony.n.finch  <dot at>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list