zsk rollover

Alan Batie alan at peak.org
Tue Feb 25 22:45:45 UTC 2020


On 2/25/20 2:22 PM, Mark Andrews wrote:

> You could set "sig-validity-interval to 30 29;” if you want to see things happen
> faster.  This causes the RRSIGs to have a 30 day validity interval and be re-signed
> 29 days before that expires.

That sounds like a useful option, thanks!

> Remember with DNSSEC you never move onto the next step without checking that the
> last step completed first.  The next step can always be stalled.  This applies to both
> online and offline signing.  There are lots of “wait until xxx” in DNSSEC maintenance.
> Don’t schedule multiple steps at once.  Even with a single machine unexpected events
> can happen.

Yup: publish, activate, deactivate, delete.  I've been letting it
generate rrsigs for a long time now, but figured it was time I get the
rollover process worked out so I can actually get dnssec enabled (with
the DS record tie-in) and be sure it's not going to break at some random
time in the future.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4036 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200225/0329942b/attachment.bin>


More information about the bind-users mailing list