bind 9.7.0 auto-dnssec doesn't remove final RRSIG on key inactivation?

Phil Mayers p.mayers at
Thu Aug 25 09:00:42 UTC 2011

We have a hidden master doing DNSSEC on our zones, and I've observe the 
following problem when doing a ZSK rollover.

Zones are updated from our database using DDNS, and bind of course is 
(re)generating the signatures at the standard intervals.

I first create and publish a new ZSK with no activation date. After 
waiting the requisite amount of time, I use dnssec-settime:

dnssec-settime -A K<newid>
dnssec-settime -I K<oldid>
rndc sign <zone>

...and bind immediately starts using the new key for sigs. After 0.75*30 
days, all the RRSIG with the old key have been replaced except for one - 
the RRSIG on the zone apex DNSKEY record. Unfortunately, this RRSIG is 
not regenerated, or removed; it expires, and causes various monitoring 
tools (including the ISC DLV web UI) to complain.

Is this a bug in bind 9.7.0 which is fixed in a later version?

(I'm aware we should upgrade the hidden master anyway, but since it's 
hidden it has limited vulnerability, and it's something I like to be 
cautious with!)


More information about the bind-users mailing list