bind 9.7.0 auto-dnssec doesn't remove final RRSIG on key inactivation?

Tony Finch dot at
Thu Aug 25 11:14:41 UTC 2011

Phil Mayers <p.mayers at> wrote:
> I first create and publish a new ZSK with no activation date. After waiting
> the requisite amount of time, I use dnssec-settime:
> dnssec-settime -A K<newid>
> dnssec-settime -I K<oldid>
> rndc sign <zone>
> ...and bind immediately starts using the new key for sigs. After 0.75*30 days,
> all the RRSIG with the old key have been replaced except for one - the RRSIG
> on the zone apex DNSKEY record. Unfortunately, this RRSIG is not regenerated,
> or removed; it expires, and causes various monitoring tools (including the ISC
> DLV web UI) to complain.
> Is this a bug in bind 9.7.0 which is fixed in a later version?

Possibly this:

3020.   [bug]           auto-dnssec failed to correctly update the zone when
                        changing the DNSKEY RRset. [RT #23232]

dnssec-dnskey-kskonly might be a workaround...

f.anthony.n.finch  <dot at>
Trafalgar: Northwesterly 5 or 6 in southeast Trafalgar, otherwise variable 3
or 4, becoming cyclonic 5 to 7, perhaps gale 8 later in south Biscay and
southeast Fitzroy. Moderate or rough. Rain or showers. Good, occasionally

More information about the bind-users mailing list