On 17/06/11 15:13, Spain, Dr. Jeffry A. wrote:
As of today (6/17/2011), RRSIG records for key 2750 are present for
every RRset in the zone. The only RRSIG record for key 33722 is for the
SOA RRset. See http://dnsviz.net/d/countryday.net/dnssec/. As I
understand the process, based on the dates in the metadata, there should
be RRSIGs for key 33722 on all RRsets, and all RRSIGs for key 2750
should have been removed.
IIRC bind will not re-generate the signatures until they are "due" based
on the sig-* parameters.
For example, the RRSIG on the NS records:
countryday.net. 3600 IN RRSIG NS 7 2 3600 20110709035017 ...
...was generated on June 9th and isn't due to expire until July 9th.
Bind will re-sign it at ~0.75 of that window if memory serves, so it'll
get re-signed at or about July 1st.
How big is the zone, and how did you sign it originally? If you used
"rndc sign", then there will be little jitter in the RRSIG so they'll
all tend to roll over together.
For most of our zones, I signed them manually using dnssec-signzone and
tuning the jitter for a constant trickle.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
