key rollover with BIND 9.9

Michael W. Lucas mwlucas at
Fri Jan 25 23:39:23 UTC 2013


I'm trying to automate key rollover with BIND 9.9.2 (will soon upgrade
to new rev). I have a couple of elementary questions that seem to be
answered briefly in the documentation, but I suspect that my grasp of
key rollover is clouded by the last decade of blog posts about tools
and techniques that are no longer necessary.

I have a test zone set with "auto-dnssec maintain" and "inline-signing
yes".  My zone gets signed, RRSIGs get generated, and so on.

The 9.9 ARM says at 4.9.7 that named will automatically carry out the
key rollover. Does this include creation of new key files?

When the KSK rolls over, do I need to update my registrar? Or does
that happen automatically? (I see hints that the root servers pick up
the new DS record, but that seems too good to be true.)

By default, keys have no expiration date. I'm assuming I must set an
expiration date on the ZSK and KSK for named to automatically create
the new key?

As a test, I've set my test zone ZSK with a fairly short time to

dnssec-settime -I +7d -D +14d

named hasn't created a new ZSK, however. Should I expect it to? Or is
there some other document I need to read?



Michael W. Lucas,
Latest book: SSH Mastery
mwlucas at, Twitter @mwlauthor

More information about the bind-users mailing list