Gordon Messmer <gordon.mess...@gmail.com> wrote: > > After new keys are introduced, and after the old key has expired,
Wait right there! dnssec-settimes has two times that are usually relevant to the old key when rolling keys: the retire time and the delete time. (There's also a revocation time but we don't need to worry about that now.) There isn't a key expire time. It sounds to me like named is upset because you have not properly co-ordinated the retirement of the key (when it stops being used to make signatures) with the expiry of the signatures made using the key (by default 30 days later) with the deletion of the key from the zone. You shouldn't delete the key from disk until everything has gone from the zone and named has done the key maintenance to delete its internal state. You might also want to take a look at the dnssec-keymgr utility: https://ftp.isc.org/isc/bind9/9.11.1/doc/arm/man.dnssec-keymgr.html Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Humber, Thames, Dover: North 5 or 6, decreasing 4 at times later. Moderate, occasionally rough. Mainly fair. Mainly good. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
