Seeking Advice on DNSSEC Algorithm Rollover

Tony Finch dot at
Mon Jun 25 11:36:24 UTC 2012

Spain, Dr. Jeffry A. <spainj at> wrote:
> My experience with changing the timing metadata or removing the key
> files is that named issues a warning like the following: zone <zone>/IN:
> Key <zone>/<algorithm>/<key tag> missing or inactive and has no
> replacement: retaining signatures. In this circumstance none of the
> RRSIGs or NSECs are removed. They sit there indefinitely even after the
> RRSIGs expire.

If I remember correctly, that was because you removed the keyfile rather
than just updating the timing metadata. Try updating the timing data and
leaving the keyfiles in place until after BIND has acted on the deletion

f.anthony.n.finch  <dot at>
Forties: Northwesterly 4 or 5, occasionally 6 in east. Slight or moderate,
occasionally rough later. Mainly fair. Moderate or good.

More information about the bind-users mailing list