DNSSEC key rollover failure

Spain, Dr. Jeffry A. spainj at countryday.net
Fri Jun 17 20:25:46 UTC 2011

Thanks, Phil.

> How big is the zone, and how did you sign it originally? If you used "rndc sign", then there will be little jitter in the RRSIG so they'll all tend to roll over together.
>For most of our zones, I signed them manually using dnssec-signzone and tuning the jitter for a constant trickle.

Our zone has 115 records, not counting DNSSEC-related records. I originally signed it by specifying the zone file and key directory along with "auto-dnssec maintain" in the configuration file. Looking at all the RRSIGs, they expire for the most part over a period of a couple of hours on July 9, so I think that the resigning process will not be a resource utilization problem.

> Bind will re-sign it at ~0.75 of that window if memory serves, so it'll get re-signed at or about July 1st.

Given what you are saying, if the resigning starts on July 1, that is a couple of days after the original DNSKEY is due to be deleted based on its metadata. Hopefully bind will either resign the remaining records early or keep the DNSKEY around after its deletion date. I will watch it carefully to see what happens.

Thanks for your insight. Jeff.

More information about the bind-users mailing list