auto-dnssec maintain and DNSKEY removal

Tony Finch dot at
Mon Jul 4 15:08:54 UTC 2016

Mathew Ian Eis <Mathew.Eis at> wrote:
> We think that in some cases, named may be choosing to use a key past the
> removal date (as in [2]), while our file maintenance process removes the
> keys as per their deletion date – after which named no longer has the
> necessary metadata to determine whether or not to remove the DNSKEY from
> the zone.

How promptly are you deleting the key files? Are you allowing enough time
for named to go through a zone key maintenance cycle? (which is hourly if
I remember correctly)

> Lastly, so long as a zone is properly signed with a different key, are
> there any concerns with manually removing the zombie DNSKEY records via
> an update even while auto-dnssec maintain is enabled?

I believe that should work.

f.anthony.n.finch  <dot at>  -  I xn--zr8h punycode
North Rockall: Westerly or northwesterly 3 or 4, increasing 5 at times.
Moderate. Showers. Good.

More information about the bind-users mailing list