Seeking Advice on DNSSEC Algorithm Rollover

Alexander Gurvitz alex at
Sun Jun 24 06:02:12 UTC 2012


I don't think that bind trying to sign with non-existent key will do any
harm - probably just warning.
But it's simpler - change metadata of the key - set deletion time to the
time you want the key to be deleted (like DS deletion time+TTL).
Bind with auto-dnnsec allow re-reads the metadata and should remove the key
and all the signatures at that time.

You don't need nsupdate nor update-policy for that.

Alexander Gurvitz,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list