auto-dnssec maintain and DNSKEY removal

Mathew Ian Eis Mathew.Eis at
Wed Jul 13 23:47:48 UTC 2016

One last question (I hope):

sig-validity-interval seems to only affect the expiration date of newly created signatures, and of course signatures are only rolling over to new keys as they expire.

I am wondering if I can ask bind to set the expiration for, say 30 days out, but when a new key is published, publish all signatures with the new key sooner, say, a week before the previous ones expire.

One option would be to use rndc sign [zone] to forcibly re-sign all records with all published keys, but of course that would upset any jitter… Are there any other approaches?

Thanks again,

Mathew Eis

-----Original Message-----
From: Tony Finch <dot at>
Date: Wednesday, July 6, 2016 at 2:48 AM
To: Mathew Eis <Mathew.Eis at>
Cc: "bind-users at" <bind-users at>
Subject: Re: auto-dnssec maintain and DNSKEY removal

Mathew Ian Eis <Mathew.Eis at> wrote:
> Does all of that sound right?

I believe so, yes.

f.anthony.n.finch  <dot at>  -  I xn--zr8h punycode
Humber, Thames, Dover, Wight, Portland, Plymouth, North Biscay: Northwesterly,
backing southwesterly, 3 or 4, becoming variable for a time. Smooth or slight,
occasionally moderate in Humber and Biscay. Fair. Good.

More information about the bind-users mailing list