DNSSEC and automatic renewal of RRSIG-expiration-time

Tony Finch dot at dotat.at
Thu May 3 11:08:03 UTC 2018

Tom <tomtux007 at gmail.com> wrote:

> Does the "inline-signing"-mechanism also automatically renew the
> expiration-time of the RRSIGs?


> If so: When or in which interval does BIND verify the expiration-times
> of the RRSIGs and renew them?

The documentation for sig-validity-interval says renewal time is 1/4 of
the validity period, so for your 1 day interval, 6 hours before expiry.


Specifies the number of days into the future when DNSSEC signatures
automatically generated as a result of dynamic updates (Section 4.2) will
expire. There is an optional second field which specifies how long before
expiry that the signatures will be regenerated.  If not specified, the
signatures will be regenerated at 1/4 of base interval.  The second field
is specified in days if the base interval is greater than 7 days otherwise
it is specified in hours. The default base interval is 30 days giving a
re-signing interval of 7 1/2 days. The maximum values are 10 years (3660

The signature inception time is unconditionally set to one hour before the
current time to allow for a limited amount of clock skew.

The sig-validity-interval should be, at least, several multiples of the
SOA expire interval to allow for reasonable interaction between the
various timer and expiry dates.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
South Utsire: Westerly 3 or 4, backing southerly 4 or 5. Slight or moderate.
Showers. Good.

More information about the bind-users mailing list