bind 9.7.0 auto-dnssec doesn't remove final RRSIG on key inactivation?
p.mayers at imperial.ac.uk
Thu Aug 25 09:00:42 UTC 2011
We have a hidden master doing DNSSEC on our zones, and I've observe the
following problem when doing a ZSK rollover.
Zones are updated from our database using DDNS, and bind of course is
(re)generating the signatures at the standard intervals.
I first create and publish a new ZSK with no activation date. After
waiting the requisite amount of time, I use dnssec-settime:
dnssec-settime -A K<newid>
dnssec-settime -I K<oldid>
rndc sign <zone>
...and bind immediately starts using the new key for sigs. After 0.75*30
days, all the RRSIG with the old key have been replaced except for one -
the RRSIG on the zone apex DNSKEY record. Unfortunately, this RRSIG is
not regenerated, or removed; it expires, and causes various monitoring
tools (including the ISC DLV web UI) to complain.
Is this a bug in bind 9.7.0 which is fixed in a later version?
(I'm aware we should upgrade the hidden master anyway, but since it's
hidden it has limited vulnerability, and it's something I like to be
More information about the bind-users