On 05/08/2017 03:22 AM, Tony Finch wrote:
Gordon Messmer <gordon.mess...@gmail.com> wrote:
After new keys are introduced, and after the old key has expired,
Wait right there!
dnssec-settimes has two times that are usually relevant to the old key
when rolling keys: the retire time and the delete time. (There's also a
revocation time but we don't need to worry about that now.)
There isn't a key expire time.
Yes, sorry. I'm removing the key file shortly after the "deleted" date.
I think the problem is probably that I'm not waiting long enough. I
need to give bind at least one hour, so that it passes its "next key
event", right?
You might also want to take a look at the dnssec-keymgr utility:
https://ftp.isc.org/isc/bind9/9.11.1/doc/arm/man.dnssec-keymgr.html
That looks great. Red Hat is shipping bind 9.9, so I hadn't seen it.
I'd imagine it doesn't actually depend on any 9.11 features, and can run
on bind 9.9?
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
