One last question (I hope): sig-validity-interval seems to only affect the expiration date of newly created signatures, and of course signatures are only rolling over to new keys as they expire.
I am wondering if I can ask bind to set the expiration for, say 30 days out, but when a new key is published, publish all signatures with the new key sooner, say, a week before the previous ones expire. One option would be to use rndc sign [zone] to forcibly re-sign all records with all published keys, but of course that would upset any jitter… Are there any other approaches? Thanks again, Mathew Eis -----Original Message----- From: Tony Finch <d...@dotat.at> Date: Wednesday, July 6, 2016 at 2:48 AM To: Mathew Eis <mathew....@nau.edu> Cc: "bind-users@lists.isc.org" <bind-users@lists.isc.org> Subject: Re: auto-dnssec maintain and DNSKEY removal Mathew Ian Eis <mathew....@nau.edu> wrote: > > Does all of that sound right? I believe so, yes. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Humber, Thames, Dover, Wight, Portland, Plymouth, North Biscay: Northwesterly, backing southwesterly, 3 or 4, becoming variable for a time. Smooth or slight, occasionally moderate in Humber and Biscay. Fair. Good. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
