proposed new command line option for dnssec-signzone

Pierre Beyssac pb at
Tue Sep 24 00:01:07 UTC 2013

Hi Evan,

On Mon, Sep 23, 2013 at 04:24:33PM +0000, Evan Hunt wrote:
> Hi Pierre,
> It wasn't unnoticed, just unanswered, and I apologize.  I haven't
> had cycles to consider this yet.

Thanks for your reply. No worry, I apologize in turn, could have
waited longer ;)

> Incidentally, a good place to submit patches is actually
> bind-suggest at -- that goes into our ticketing system so
> we don't have rely on our faulty human brains to remember it.

Thanks, I didn't know that. I'll remember it next time.

> The first thought I had was to wonder whether we should add a
> new option or merely extend the -R option to do what you're asking.
> Are there circumstances when you'd need the current -R behavior but
> would *not* want the behavior that you're proposing for -1?


-R seems to match RFC 4641 section Double Signature Zone
Signing Key Rollover. So some people probably have a use for it,
but in my case I want to avoid that.

My patches implement RFC 4641 Pre-Publish Key Rollover.

I agree with you that on a logical point of view, -1 is just a
variation of -R since it simply causes the RRSIGs to be removed
sooner in the rollover procedure.

A given RRSIG cannot match at the same time both -R and -1 for
removal, so in theory you could have a file having both categories
of RRSIGs that you might want to remove in one step, but I can't
see a real world scenario for that.
Sent from my FreeBSD server on its IPv6 connection
Pierre Beyssac	      	    		pb at

More information about the bind-workers mailing list