auto-dnssec maintain and DNSKEY removal
Mathew Ian Eis
Mathew.Eis at nau.edu
Wed Jul 13 23:47:48 UTC 2016
One last question (I hope):
sig-validity-interval seems to only affect the expiration date of newly created signatures, and of course signatures are only rolling over to new keys as they expire.
I am wondering if I can ask bind to set the expiration for, say 30 days out, but when a new key is published, publish all signatures with the new key sooner, say, a week before the previous ones expire.
One option would be to use rndc sign [zone] to forcibly re-sign all records with all published keys, but of course that would upset any jitter… Are there any other approaches?
From: Tony Finch <dot at dotat.at>
Date: Wednesday, July 6, 2016 at 2:48 AM
To: Mathew Eis <Mathew.Eis at nau.edu>
Cc: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
Subject: Re: auto-dnssec maintain and DNSKEY removal
Mathew Ian Eis <Mathew.Eis at nau.edu> wrote:
> Does all of that sound right?
I believe so, yes.
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
Humber, Thames, Dover, Wight, Portland, Plymouth, North Biscay: Northwesterly,
backing southwesterly, 3 or 4, becoming variable for a time. Smooth or slight,
occasionally moderate in Humber and Biscay. Fair. Good.
More information about the bind-users