"Key <foo>: Delaying activation to match the DNSKEY TTL."
Paul B. Henson
henson at acm.org
Mon Jul 11 22:42:07 UTC 2011
On 7/7/2011 12:37 PM, Evan Hunt wrote:
> less than $dnskey_ttl seconds in the future. If the activation time
> were further away, it would not warn you. If it were in the past, it
> would use the key to sign the zone, and again it would not warn you.
> There's only a window of $dnskey_ttl seconds in which you'd ever see
Ah, ok, now it's making sense. On another review, the message wasn't
generated in the forced signing after the new keys were created, it came
from a run initiated by someone making an actual change that needed to
be deployed. This must be the first time since we rolled it out that a
change has been made within 12 hours (our default TTL) of a key
rollover, which is why I'd never seen it before.
> And actually, in the case of dnssec-signzone, it's a pointless
> message and should probably be suppressed.
Agreed :), would have saved me some confusion and unnecessary concern.
For now, I can just ignore it, thanks again for the clarification of
what was going on.
Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst | henson at csupomona.edu
California State Polytechnic University | Pomona CA 91768
More information about the bind-users