ZSK pre-publish
Matthew Seaman
m.seaman at infracaninophile.co.uk
Mon Oct 3 13:54:49 UTC 2011
On 03/10/2011 13:45, Torinthiel wrote:
> On 2011-10-01 11:40, Matthew Seaman wrote:
>> dnssec-signzone will grok all the built-in dates and do the right thing
>> when you sign the zone.
> BTW, how does dnssec-signzone behave when you pass -s option? Does it
> take into account that date when determining whether to use/publish key?
> Can one for example generate signatures for the future using
> dnssec-signzone, or is it possible only with careful manual inclusion?
If the date or offset you specify via the -s option is outside the
period of activation of a key, then dnsssec-signzone won't use that key
to sign that RR. So if you're trying to manage keys manually you will
need to resign the zone once the activation date plus 1 hour has passed
-- assuming you take the defaults for '-s' -- to pick up the RRSIGs made
with the new key.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew at infracaninophile.co.uk Kent, CT11 9PW
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20111003/e7ff0224/attachment.bin>
More information about the bind-users
mailing list