On Tue, Jun 23, 2009 at 8:10 PM, Mark Andrews<ma...@isc.org> wrote: > > Even if the update were published on the master instananeously > you still need to wait for the zone to transfer to all the > slaves and for the old DLV records to timeout of caches.
Even 24 hrs after? My zone ttls are set for 3 hrs. Its now been ~36 hrs since I put the new keys up on DLV, and still they cannot be validated. Is this due to the above? > DNSSEC changes are not and never will be instaneous. You > either have to change the DLV/DS records in advance of > adding keys in or you need to wait for old DNSKEY RRset to > timeout before you change your DNSKEY RRset. You tried to > change both at once and that will never work. I recognize I shouldn't have removed the old keys from DLV as soon as I'd put the new ones up, I didn't do this on the last ksk rollover. -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
