key rollover with BIND 9.9

Axel Rau Axel.Rau at
Sat Jan 26 09:49:39 UTC 2013

Am 26.01.2013 um 00:39 schrieb Michael W. Lucas:

> Hi,
> I'm trying to automate key rollover with BIND 9.9.2 (will soon upgrade
> to new rev). I have a couple of elementary questions that seem to be
> answered briefly in the documentation, but I suspect that my grasp of
> key rollover is clouded by the last decade of blog posts about tools
> and techniques that are no longer necessary.
> I have a test zone set with "auto-dnssec maintain" and "inline-signing
> yes".  My zone gets signed, RRSIGs get generated, and so on.
> The 9.9 ARM says at 4.9.7 that named will automatically carry out the
> key rollover. Does this include creation of new key files?
> When the KSK rolls over, do I need to update my registrar? Or does
> that happen automatically? (I see hints that the root servers pick up
> the new DS record, but that seems too good to be true.)
> By default, keys have no expiration date. I'm assuming I must set an
> expiration date on the ZSK and KSK for named to automatically create
> the new key?
> As a test, I've set my test zone ZSK with a fairly short time to
> expire.
> dnssec-settime -I +7d -D +14d
> named hasn't created a new ZSK, however. Should I expect it to? Or is
> there some other document I need to read?
It's your responsibility to create the keys and to renew the DS-RR with your registrar.
I have written a python3 script which does all this housekeeping including registrar updates for 2 registrars.
You find it here

PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius

More information about the bind-users mailing list