On Mon, Jan 09, 2012 at 09:40:51PM +0000, Chris Thompson wrote: > | If the resolver ever sees the DNSKEY RRSet without the new key but > | validly signed, it stops the acceptance process for that key and > | resets the acceptance timer. > > What BIND does is to retain the entry for the new key in managed-keys.bind > but every time it notices that it is no longer published it sets the > KEYDATA.addhd field 30 days in the future. Thus it will never get accepted > as a trust anchor. > > That seems to satisfy the letter of the law, but it does mean that > managed-keys.bind remains cluttered with such keys.
You have a point. I don't remember making that particular design decision, but I probably just didn't think about it. "Reset the acceptance timer" implies the existence of a timer; if I'd deleted the key, there wouldn't be a timer to reset. :) Feel free to open a ticket at bind9-b...@isc.org. It's not likely to be a particularly high-priority fix, though. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
