DNSSEC Key Rollover Questions

Spain, Dr. Jeffry A. spainj at countryday.net
Sat Jun 18 14:48:59 UTC 2011

Assume that bind 9.8.0 is in operation. A zone is configured with auto-dnssec maintain, and the zone signing keys K and its successor K' are published. Further assume that the activation time for K has passed and the zone is properly signed with K. Now suppose that the activation time for K' arrives. Should I expect bind to generate RRSIG records with K' right away? Now suppose that the deactivation date for K arrives one day later. Should I expect bind to remove RRSIG records for K right away? Or only after the signature expiration times of those signatures?

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School
6905 Given Road, Cincinnati, OH 45243-2898, USA
Phone +1 (513) 979-0299; Fax +1 (513) 527-7632 (UTC-4)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110618/18c1d5b7/attachment.html>

More information about the bind-users mailing list