error when removing expired key files

Tony Finch dot at
Mon May 8 10:22:47 UTC 2017

Gordon Messmer <gordon.messmer at> wrote:
> After new keys are introduced, and after the old key has expired,

Wait right there!

dnssec-settimes has two times that are usually relevant to the old key
when rolling keys: the retire time and the delete time. (There's also a
revocation time but we don't need to worry about that now.)

There isn't a key expire time.

It sounds to me like named is upset because you have not properly
co-ordinated the retirement of the key (when it stops being used to make
signatures) with the expiry of the signatures made using the key (by
default 30 days later) with the deletion of the key from the zone.

You shouldn't delete the key from disk until everything has gone from the
zone and named has done the key maintenance to delete its internal state.

You might also want to take a look at the dnssec-keymgr utility:

f.anthony.n.finch  <dot at>  -  I xn--zr8h punycode
Humber, Thames, Dover: North 5 or 6, decreasing 4 at times later. Moderate,
occasionally rough. Mainly fair. Mainly good.

More information about the bind-users mailing list