Any chance to do partial sign when RRSIG expires

Tony Finch dot at dotat.at
Thu Mar 1 11:31:59 UTC 2018


rams <bramesh80 at gmail.com> wrote:

> Currently in bind we are doing auto full sign when RRSIG expires . Is there
> any chance to generate only RRSIGS instead of full sign.

If you pass the existing signed zone to dnssec-signzone it will
incrementally re-sign it as required - see the last example in the man
page.

Or use named's built-in incremental signing.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Viking, North Utsire: Easterly or northeasterly 4 or 5, occasionally 6 in
south Viking. Slight or moderate, occasionally rough in south Viking. Fair.
Good.


More information about the bind-users mailing list