DNSSEC key rollover failure

Phil Mayers p.mayers at imperial.ac.uk
Fri Jun 17 15:47:17 UTC 2011

On 17/06/11 15:13, Spain, Dr. Jeffry A. wrote:
> As of today (6/17/2011), RRSIG records for key 2750 are present for
> every RRset in the zone. The only RRSIG record for key 33722 is for the
> SOA RRset. See http://dnsviz.net/d/countryday.net/dnssec/. As I
> understand the process, based on the dates in the metadata, there should
> be RRSIGs for key 33722 on all RRsets, and all RRSIGs for key 2750
> should have been removed.

IIRC bind will not re-generate the signatures until they are "due" based 
on the sig-* parameters.

For example, the RRSIG on the NS records:

countryday.net.		3600 IN	RRSIG NS 7 2 3600 20110709035017 ...

...was generated on June 9th and isn't due to expire until July 9th. 
Bind will re-sign it at ~0.75 of that window if memory serves, so it'll 
get re-signed at or about July 1st.

How big is the zone, and how did you sign it originally? If you used 
"rndc sign", then there will be little jitter in the RRSIG so they'll 
all tend to roll over together.

For most of our zones, I signed them manually using dnssec-signzone and 
tuning the jitter for a constant trickle.

More information about the bind-users mailing list