ZSK pre-publish

Matthew Seaman m.seaman at infracaninophile.co.uk
Mon Oct 3 13:54:49 UTC 2011


On 03/10/2011 13:45, Torinthiel wrote:
> On 2011-10-01 11:40, Matthew Seaman wrote:

>> dnssec-signzone will grok all the built-in dates and do the right thing
>> when you sign the zone.

> BTW, how does dnssec-signzone behave when you pass -s option? Does it
> take into account that date when determining whether to use/publish key?
> Can one for example generate signatures for the future using
> dnssec-signzone, or is it possible only with careful manual inclusion?

If the date or offset you specify via the -s option is outside the
period of activation of a key, then dnsssec-signzone won't use that key
to sign that RR.  So if you're trying to manage keys manually you will
need to resign the zone once the activation date plus 1 hour has passed
-- assuming you take the defaults for '-s' -- to pick up the RRSIGs made
with the new key.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew at infracaninophile.co.uk               Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20111003/e7ff0224/attachment.bin>


More information about the bind-users mailing list