Seeking Advice on DNSSEC Algorithm Rollover

Spain, Dr. Jeffry A. spainj at
Sun Jun 24 14:37:56 UTC 2012

> I don't think that bind trying to sign with non-existent key will do any harm - probably just warning.
> But it's simpler - change metadata of the key - set deletion time to the time you want the key to be deleted (like DS deletion time+TTL).
> Bind with auto-dnnsec allow re-reads the metadata and should remove the key and all the signatures at that time.
> You don't need nsupdate nor update-policy for that.

Thanks very much. My experience with changing the timing metadata or removing the key files is that named issues a warning like the following:
zone <zone>/IN: Key <zone>/<algorithm>/<key tag> missing or inactive and has no replacement: retaining signatures.
In this circumstance none of the RRSIGs or NSECs are removed. They sit there indefinitely even after the RRSIGs expire.
Best regards, Jeff.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

More information about the bind-users mailing list