DNSSEC key rollover failure

Phil Mayers p.mayers at imperial.ac.uk
Fri Jun 17 20:38:23 UTC 2011

On 06/17/2011 09:35 PM, Phil Mayers wrote:

> In which case you're going to have a serious problems I think. You can't
> delete a DNSKEY which has any extant RRSIGs until $MAX_TTL *after* those
> RRSIGs finally disappear.
> There's an RFC describing the key rotation schedules you must use in a
> lot of detail. I can't find the link off-hand, but I will dig into it.


See section 3.2.1

More information about the bind-users mailing list