SOA record not signed with new key at key-rollover

Tony Finch dot at
Mon Jul 18 10:48:18 UTC 2016

Nis Wechselberg <enbewe at> wrote:

> Am I getting it right that the rest of the zone is not (re)signed
> because the current signature is still valid for some time?
> So if I were to set sig-validity-interval to a shorter value, this would
> help with the issue?

If you are testing out a fast rollover schedule then it would make sense
to set a short sig-validity-interval, scaled to match.

If your rollover time is much shorter then you are testing something that
is more like an emergency unplanned rollover.

f.anthony.n.finch  <dot at>  -  I xn--zr8h punycode
Irish Sea: Southerly, becoming variable, 3 or 4, occasionally 5 at first in
west. Smooth or slight. Fog banks. Moderate or good, occasionally very poor.

More information about the bind-users mailing list