"Key <foo>: Delaying activation to match the DNSKEY TTL."

Paul B. Henson henson at acm.org
Mon Jul 11 22:42:07 UTC 2011

On 7/7/2011 12:37 PM, Evan Hunt wrote:

> less than $dnskey_ttl seconds in the future.  If the activation time
> were further away, it would not warn you.  If it were in the past, it
> would use the key to sign the zone, and again it would not warn you.
> There's only a window of $dnskey_ttl seconds in which you'd ever see
> this.

Ah, ok, now it's making sense. On another review, the message wasn't
generated in the forced signing after the new keys were created, it came
from a run initiated by someone making an actual change that needed to
be deployed. This must be the first time since we rolled it out that a
change has been made within 12 hours (our default TTL) of a key
rollover, which is why I'd never seen it before.

> And actually, in the case of dnssec-signzone, it's a pointless
> message and should probably be suppressed.

Agreed :), would have saved me some confusion and unnecessary concern.
For now, I can just ignore it, thanks again for the clarification of
what was going on.

Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  henson at csupomona.edu
California State Polytechnic University  |  Pomona CA 91768

More information about the bind-users mailing list