KSK signing all records; NSEC3 algorithm status?

Phil Pennock bind-users+phil at spodhuis.org
Thu May 29 05:10:50 UTC 2014

On 2014-05-29 at 00:59 -0400, Phil Pennock wrote:
> The new DNSKEY had id=33768 and when I deployed it, Bind signed the SOA
> with it but nothing else.

Bind 9.10 ARM (PDF-only??):
 "However, if the new key is replacing an existing key of the same
  algorithm, then the zone will be re-signed incrementally, with
  signatures from the old key being replaced with signatures from the new
  key as their signature validity periods expire. By default, this
  rollover completes in 30 days, after which it will be safe to remove the
  old key from the DNSKEY RRset."

This is the cause, isn't it?  The KSK/ZSK distinction again is
irrelevant here.  I'm not seeing any way to fix this, while keeping the
current id=53065 KSK.

Is there a way to transition in a timely manner while keeping current

If not, if I were to use dnssec-settime to set the 53065 key to be
retired in two days and generate a new KSK of same algorithm, what would
the timing be on switching to the new key and getting all the records
updated?  I have a two hour TTL on the DS records in the parent, which
are currently for 53065.


More information about the bind-users mailing list