Mathew Ian Eis <mathew....@nau.edu> wrote: > > > Are you allowing enough time for named to go through a zone key > > maintenance cycle? (which is hourly if I remember correctly) > > I’m not sure, it sounds like perhaps not always? You’ve > mentioned a “zone > key maintenance cycle” of an hour, and the docs also casually mention > that “by default, this [key] rollover completes in 30 days” [1]. These are two separate things. The zone key maintenance timer controls when named re-examines a zone's keys (checks for changes to the files, loads new keys, etc.) I haven't checked this myself in detail, but named can get confused and upset if a key file disappears while named thinks the key is still in use, so I suspect it might go wrong if the file is deleted after the key deletion time but before the zone key timer triggers. The rollover time is related to the signature lifetime - you have to stop signing with a key, allow a month for the signatures to be replaced, then delete the key, and you specify all this with dnssec- settimes, and check it is sane with dnssec-coverage. (Which I am sure you know but I wanted to avoid confusion.) > How long after deletion time is it safe to actually remove the > underlying > key files, if it isn’t the deletion time itself? You should probably augment your key file deletion script to verify that the key has in fact gone from the zone - if you add suitable warning diagnostics it will probably reveal what is actually going wrong, more reliably than my guesses! Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn-- zr8h punycode
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
