"Key <foo>: Delaying activation to match the DNSKEY TTL."
Paul B. Henson
henson at acm.org
Mon Jul 11 22:42:07 UTC 2011
On 7/7/2011 12:37 PM, Evan Hunt wrote:
> less than $dnskey_ttl seconds in the future. If the activation time
> were further away, it would not warn you. If it were in the past, it
> would use the key to sign the zone, and again it would not warn you.
> There's only a window of $dnskey_ttl seconds in which you'd ever see
> this.
Ah, ok, now it's making sense. On another review, the message wasn't
generated in the forced signing after the new keys were created, it came
from a run initiated by someone making an actual change that needed to
be deployed. This must be the first time since we rolled it out that a
change has been made within 12 hours (our default TTL) of a key
rollover, which is why I'd never seen it before.
> And actually, in the case of dnssec-signzone, it's a pointless
> message and should probably be suppressed.
Agreed :), would have saved me some confusion and unnecessary concern.
For now, I can just ignore it, thanks again for the clarification of
what was going on.
--
Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst | henson at csupomona.edu
California State Polytechnic University | Pomona CA 91768
More information about the bind-users
mailing list