auto-dnssec resign timers

Niobos niobos at
Fri Sep 17 13:10:07 UTC 2010

On 2010-09-17 12:15, Tony Finch wrote:
> On 17 Sep 2010, at 10:44, Niobos <niobos at
> <mailto:niobos at>> wrote:
>> In my opinion, BIND should have resigned this by now: The signature is
>> valid until a little over 2 days. This means that if the slave would
>> loose contact with the master right now, it will give out signatures
>> that will expire before their TTL does.
>> According to my calculations, RRSIGs should be regenerated zone-expire +
>> RR-ttl seconds before the RRSIG expires.
> You have to manually set the zone expiry time, TTLs, signature lifetime,
> and re-signing time consistently.
> The documentation for 9.7.1 says:
> *sig-validity-interval*
> *
> *
> *Specifies the number of days into the future when DNSSEC signatures
> automatically generated as a result of dynamic updates (the section
> called “Dynamic Update”
> <>) will
> expire. There is an optional second field which specifies how long
> before expiry that the signatures will be regenerated. If not specified,
> the signatures will be regenerated at 1/4 of base interval. The second
> field is specified in days if the base interval is greater than 7 days
> otherwise it is specified in hours. The default base interval
> is |30| days giving a re-signing interval of 7 1/2 days. The maximum
> values are 10 years (3660 days).***
Wonderful, exactly what I was looking for.

Unfortunately, this mail is the first place where I find a reference to
this second field. My Google-searches of "bind arm
sig-validity-interval" only return the single-field descriptions (eg
); even the man-page of my installation says:
sig-validity-interval integer;
note the absence of the second field.

Is the current version of the ARM available online somewhere?


More information about the bind-users mailing list