Thanks for a workaround. But in this case - after "dnssec-settime -L ttl" I
need unsign/sign zone (p.1 of steps above) in order to new TTL value
appeared in DNSKEY RRset ("service bind9 reload" or "rndc loadkeys" has no
effect). But I would like to find a solution without the need of
unsigning/signing cycle.
Besides, the question is: this is a bug? Or this behavior is caused by some
rules or restrictions?С уважением, Александр Остапенко 2016-08-16 8:59 GMT+07:00 Mark Andrews <ma...@isc.org>: > > In message <CAMUgSQDxY_BnEgnAe4eQpoV_cHb7ScZ=qxT_-4CVW3nLokctag@ > mail.gmail.com> > , =?UTF-8?B?0JDQu9C10LrRgdCw0L3QtNGAINCe0YHRgtCw0L/QtdC90LrQvg==?= writes: > > Hello. > > > > I'm using BIND 9.9.5. > > My steps: > > > > 1. Sign zone using one 1 ZSK and 2 KSK: a) adding "*auto-dnssec > > maintain;*" and "*inline-signing yes;*" directive into zone section of > > named.conf; b) setting publication and activation timestamps to > current > > time in key files; c) *rndc reload*. > > 2. Change TTL value in the zone file ($TTL 86400 ==> $TTL 432000). > > 3. Increase serial number in SOA record by 1. > > 4. *rndc reload*. > > > > After that - DNSKEY and RRSIG DNSKEY records still have 86400 value in > TTL > > (checked via *dig*). > > What could be the reason for such behavior? > > > > > > Kind regards, > > Aleks Ostapenko > > Use "dnssec-settime -L ttl" > > Mark > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
