"Key <foo>: Delaying activation to match the DNSKEY TTL."

Evan Hunt each at isc.org
Wed Jul 6 02:34:22 UTC 2011

On Tue, Jul 05, 2011 at 02:28:13PM -0700, Paul B. Henson wrote:
> I saw this message from dnssec-signzone around the time a previously
> published key was due to be activated, and I'm not quite sure what it
> means. Google is uncharacteristically silent about it ;).
> If someone could offer an explanation of why the activation was delayed
> and whether I should care it would be much appreciated, thanks...

The key is being published now, and its activation date (i.e., when it
will start to be used to sign records) is in the near future: less than
the TTL of the DNSKEY record from now.

When the key starts signing, then someone could get an RRSIG generated by
that key... but, if that same someone had a cached copy of the DNSKEY
record from *before* the key was published, then validation could fail.

So, what it's telling you is that named won't start signing records with
this key until after the old DNSKEY record is guaranteed to have expired
out of all the resolver caches.

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the bind-users mailing list