<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>I'm working on a script that automatically renews DNS keys:</p>
<p><a class="moz-txt-link-freetext" href="https://bitbucket.org/gordonmessmer/update-dns-keys/src">https://bitbucket.org/gordonmessmer/update-dns-keys/src</a></p>
<p>After new keys are introduced, and after the old key has expired,
the old keys are removed (at job, lines 122 and 123). When the
expired keys are removed from the filesystem, named begins to
complain:</p>
<blockquote>
<p>zone dragonsdawn.net/IN/local_resolver (signed): Key
dragonsdawn.net/RSASHA256/37038 missing or inactive and has no
replacement: retaining signatures.</p>
</blockquote>
<p>I've tried running "rndc loadkeys '$zone' in public" afterward,
but named continues to log that error. What's the expected
behavior for handling expired keys? Can we not remove them until
the server is restarted (which does clear the error)?<br>
</p>
</body>
</html>