DNSSEC Key Rollover Questions
Spain, Dr. Jeffry A.
spainj at countryday.net
Sat Jun 18 14:48:59 UTC 2011
Assume that bind 9.8.0 is in operation. A zone is configured with auto-dnssec maintain, and the zone signing keys K and its successor K' are published. Further assume that the activation time for K has passed and the zone is properly signed with K. Now suppose that the activation time for K' arrives. Should I expect bind to generate RRSIG records with K' right away? Now suppose that the deactivation date for K arrives one day later. Should I expect bind to remove RRSIG records for K right away? Or only after the signature expiration times of those signatures?
Jeffry A. Spain
Cincinnati Country Day School
6905 Given Road, Cincinnati, OH 45243-2898, USA
Phone +1 (513) 979-0299; Fax +1 (513) 527-7632 (UTC-4)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users