error when removing expired key files

Gordon Messmer gordon.messmer at
Tue May 9 04:52:03 UTC 2017

On 05/08/2017 03:22 AM, Tony Finch wrote:
> Gordon Messmer <gordon.messmer at> wrote:
>> After new keys are introduced, and after the old key has expired,
> Wait right there!
> dnssec-settimes has two times that are usually relevant to the old key
> when rolling keys: the retire time and the delete time. (There's also a
> revocation time but we don't need to worry about that now.)
> There isn't a key expire time.

Yes, sorry.  I'm removing the key file shortly after the "deleted" date.

I think the problem is probably that I'm not waiting long enough.  I 
need to give bind at least one hour, so that it passes its "next key 
event", right?

> You might also want to take a look at the dnssec-keymgr utility:

That looks great.  Red Hat is shipping bind 9.9, so I hadn't seen it.  
I'd imagine it doesn't actually depend on any 9.11 features, and can run 
on bind 9.9?

More information about the bind-users mailing list