> Im signing more or less hourly. My -i interval says "at least 1296000 > seconds in the future" from start date "now - minus 1 hour" (because I > don't use "-s")
Your -i flag says: if you're re-signing a zone that's already signed, any RRSIGs whose expiry times are less than 15 days in the future should be dropped and replaced with new RRSIGs. (1296000 == 15 days) Your -e flag says, sign records with a base expiry time 30 days in the future. Your -j flag says, use a 30 day jitter window for the expiry times. So now it's 30 days in the future, plus or minus 15 days. So, a few records end up with expiry 30-15=15 days in the future. The next time you sign, because of the -i flag, they get resigned. I don't think there's anything else going on here. I'd suggest dropping the -i flag or scaling down the size of the jitter window. You can drop -e too, incidentally; since 30 days is already the default. (By the way, in 9.7.0a2 the times no longer have to be specified in seconds; we added suffixes to specify hours, days, weeks, etc. So you could be saying "-e 30d -i 10d -j 12h" or whatever.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
