Seeking Advice on DNSSEC Algorithm Rollover

Spain, Dr. Jeffry A. spainj at
Mon Jun 25 11:45:31 UTC 2012

>> My experience with changing the timing metadata or removing the key 
>> files is that named issues a warning like the following: zone <zone>/IN:
>> Key <zone>/<algorithm>/<key tag> missing or inactive and has no
>> replacement: retaining signatures. In this circumstance none of the 
>> RRSIGs or NSECs are removed. They sit there indefinitely even after 
>> the RRSIGs expire.

> If I remember correctly, that was because you removed the keyfile rather than just updating the timing metadata. Try updating the timing data and leaving the keyfiles in place until after BIND has acted on the deletion date.

I did some additional testing over the weekend. Removing the key files without updating the timing metadata definitely causes this problem. Updating the timing metadata such that the inactive date is in the past and the deletion date is in the future also causes this problem. The key to success appears to be updating the timing metadata such that the inactive and deletion dates are both in the past. I still want to test this where there are no keys present for a second algorithm, i.e. a secure to insecure transition. Thanks. Jeff.

More information about the bind-users mailing list