On 06/17/2011 09:35 PM, Phil Mayers wrote:
In which case you're going to have a serious problems I think. You can't
delete a DNSKEY which has any extant RRSIGs until $MAX_TTL *after* those
RRSIGs finally disappear.
There's an RFC describing the key rotation schedules you must use in a
lot of detail. I can't find the link off-hand, but I will dig into it.
http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-key-timing-02
See section 3.2.1
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
