Mathew Ian Eis <mathew....@nau.edu> wrote:
>
> We think that in some cases, named may be choosing to use a key past the
> removal date (as in [2]), while our file maintenance process removes the
> keys as per their deletion date – after which named no longer has the
> necessary metadata to determine whether or not to remove the DNSKEY from
> the zone.
How promptly are you deleting the key files? Are you allowing enough time
for named to go through a zone key maintenance cycle? (which is hourly if
I remember correctly)
> Lastly, so long as a zone is properly signed with a different key, are
> there any concerns with manually removing the zombie DNSKEY records via
> an update even while auto-dnssec maintain is enabled?
I believe that should work.
Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode
North Rockall: Westerly or northwesterly 3 or 4, increasing 5 at times.
Moderate. Showers. Good.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
