Please FIX your email client. It really stuffs up the text/plain by adding in additional lines.
In message <102153bef555e7489ca5d54165c431a301301...@exchbsi02.ttt.co.th>, "Jit tinan Suwanruengsri" writes: > > Hi, > > 1. my server use key id 23412 first and then 40767 > > > > [root@dnssec keys]# dnssec-settime -p all Kexample.com.+005+23412 > > Created: Wed Jul 30 14:56:09 2014 > > Publish: Wed Jul 30 14:56:09 2014 > > Activate: Fri Aug 1 14:56:09 2014 > > Revoke: UNSET > > Inactive: Sun Aug 31 14:56:09 2014 > > Delete: Mon Sep 1 14:56:09 2014 > > [root@dnssec keys]# dnssec-settime -p all Kexample.com.+005+40767 > > Created: Thu Aug 7 15:59:03 2014 > > Publish: Fri Aug 29 14:56:09 2014 > > Activate: Sun Aug 31 14:56:09 2014 > > Revoke: UNSET > > Inactive: Tue Sep 30 14:56:09 2014 > > Delete: Wed Oct 1 14:56:09 2014 > > > > 2. In order to test changing a new ZSK,I set the OS clock to be > future time at Aug 31 14:56:08 2014..Now it is Aug 7 2014. Then I wait > 2-3 secs to ensure that bind activate new ZSK id 40767 and inactivate > old ZSK id 23412. > > 3. I use dig to check whether bind activate new key correctly or > not but I notice there is some dns records which are signed by new key > and some dns records are signed by old key. In therory,After new ZSK is > activated.All dns records must be signed with new key. No. Once a key is activated it will be used to sign rrsets as they fall due for re-signing. Named does NOT walk the zone and re-sign every rrset. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
