bind 9.10-P2 dnssec keys management

Evan Hunt each at
Fri Aug 8 03:40:46 UTC 2014

> 3.       I use dig to check whether bind activate new key correctly or
> not but I notice there is some dns records which are signed by new key
> and some dns records are signed by old key. In therory,After new ZSK is
> activated.All dns records must be signed with new key.

After a new ZSK is activated, records will be signed with the new key
*when their signatures need to be refreshed*.  Signatures normally have
a 30 day lifetime and are refreshed at least 7 days before they expire.
As long as the old ZSK is still in the DNSKEY rrset, there's no reason
to hurry the process up, so the old signatures are not immediately
removed when a new ZSK is activated.

If you were to publish a new ZSK on September 1, deactivate the old
one and activate the new one on October 1, and delete the old one on
November 1, everything should run smoothly.  (By November 1 all the
signatures from the old key would be gone, so you could delete
the key from the DNSKEY rrset without causing problems.)

The "dnssec-coverage" tool can be used to check your key set for
timing consistency.

If you need to force the entire zone to be signed with the new key
without waiting out the usual re-signing period, use "rndc sign <zone>".

Evan Hunt -- each at
Internet Systems Consortium, Inc.

More information about the bind-users mailing list