error when removing expired key files

Gordon Messmer gordon.messmer at gmail.com
Tue May 9 04:52:03 UTC 2017


On 05/08/2017 03:22 AM, Tony Finch wrote:
> Gordon Messmer <gordon.messmer at gmail.com> wrote:
>> After new keys are introduced, and after the old key has expired,
> Wait right there!
>
> dnssec-settimes has two times that are usually relevant to the old key
> when rolling keys: the retire time and the delete time. (There's also a
> revocation time but we don't need to worry about that now.)
>
> There isn't a key expire time.

Yes, sorry.  I'm removing the key file shortly after the "deleted" date.

I think the problem is probably that I'm not waiting long enough.  I 
need to give bind at least one hour, so that it passes its "next key 
event", right?

> You might also want to take a look at the dnssec-keymgr utility:
> https://ftp.isc.org/isc/bind9/9.11.1/doc/arm/man.dnssec-keymgr.html

That looks great.  Red Hat is shipping bind 9.9, so I hadn't seen it.  
I'd imagine it doesn't actually depend on any 9.11 features, and can run 
on bind 9.9?



More information about the bind-users mailing list