auto-dnssec maintain and DNSKEY removal

Tony Finch dot at
Thu Jul 14 10:17:14 UTC 2016

Mathew Ian Eis <Mathew.Eis at> wrote:
> sig-validity-interval seems to only affect the expiration date of newly
> created signatures, and of course signatures are only rolling over to
> new keys as they expire.
> I am wondering if I can ask bind to set the expiration for, say 30 days
> out, but when a new key is published, publish all signatures with the
> new key sooner, say, a week before the previous ones expire.

I'm not sure how what you are asking for is different from the default.

Here's what the ARM says (slightly edited for clarity):

: sig-validity-interval specifies the number of days into the future when
: automatically generated DNSSEC signatures will expire. There is an
: optional second field which specifies how long before expiry that the
: signatures will be regenerated. The second field is specified in days if
: the base interval is greater than 7 days otherwise it is specified in
: hours. If not specified, the signatures will be regenerated at 1/4 of
: base interval. The default base interval is 30 days giving a re-signing
: interval of 7 1/2 days.

So typically you would use dnssec-settime to retire the old key and
activate the new key at the same time (so you don't have multiple RRSIGs
per RRset). After this time it will take 22.5 days to replace all the
signatures, so the old signatures will all be gone 7.5 days before the
last one expires.

I've set my servers for faster RRSIG turnover, sig-validity-interval 10 8,
so all signatures are replaced every 2 days, and the 8 day grace period is
a bit longer than the 7 day SOA expire time.

f.anthony.n.finch  <dot at>  -  I xn--zr8h punycode
South Utsire: Northwesterly 5 to 7, perhaps gale 8 later. Moderate or rough.
Showers. Good.

More information about the bind-users mailing list