On 06/18/2011 03:48 PM, Spain, Dr. Jeffry A. wrote:
Assume that bind 9.8.0 is in operation. A zone is configured with
auto-dnssec maintain, and the zone signing keys K and its successor K’
are published. Further assume that the activation time for K has passed
and the zone is properly signed with K. Now suppose that the activation
time for K’ arrives. Should I expect bind to generate RRSIG records with
K’ right away?
No. It will only be used for new signatures, so you'll need to wait for
some old signature to expire (or an update with DDNS) to see RRSIG with
that key.
> Now suppose that the deactivation date for K arrives one
day later. Should I expect bind to remove RRSIG records for K right
away? Or only after the signature expiration times of those signatures?
The latter, with a minor correction - the RRSIGs will be removed at
0.75*lifetime (by default) rather than exactly at the expiry time.
If you *delete* the key, it'll immediately strip the old RRSIGs, and it
is smart enough to replace them with RRSIGs from the new ZSK (or if
you've erroneously removed the only ZSK, the KSK!).
I strongly advise against removing a key with extant signatures.
n.b. this is all from memory and tests I did under bind 9.7, so might
either be wrong or have changed, but I don't think so. If you want to be
sure, it's pretty easy to create a fake local zone and play with "rndc"
and "dnssec-settime"
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
