inactivating and deleting DNSSEC keys

Alan Clegg alan at
Tue Oct 8 22:59:47 UTC 2013

On Oct 8, 2013, at 6:51 PM, Alan Clegg <alan at> wrote:

> On Oct 8, 2013, at 6:42 PM, David Newman <dnewman at> wrote:
>> Problem is, dig says the key is still active, and will be until 29
>> October 2013:
>> $ dig @localhost +multi rrsig | grep 56989
>> 20131029191450 20130929181450 56989
> You don't provide all of the record.  It's an RRSIG that is still within it's lifetime.
> Do a dig for "DNSKEY" retype at the zone name and see what you  get back.

That was "type" not "retype".

Anyway, this brings up a request that I've made that all RRSIG records be removed if the associated DNSKEYs are removed, but at this point, it's not the default.  This taken from "man dnssec-signzone":

           Remove signatures from keys that no longer exist.

           Normally, when a previously-signed zone is passed as input to the
           signer, and a DNSKEY record has been removed and replaced with a
           new one, signatures from the old key that are still within their
           validity period are retained. This allows the zone to continue to
           validate with cached copies of the old DNSKEY RRset. The -R forces
           dnssec-signzone to remove all orphaned signatures.

I believe that this should be the default behavior (otherwise, we get double signatures when rolling ZSKs)..

The point of doing all of the timing calculation surrounding key rollover is to solve the problem of those cached keys, I don't think that dnssec-signzone (or the automated signing) is doing anyone a favor.

Or there needs to be a zone (and global) specific option that allows the same "-R" behavior during automated rollovers.

Alan Clegg | +1-919-355-8851 | alan at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the bind-users mailing list