Signature-refresh determines when the RRSIGs will be replaced by looking at the expiration time and working backwards. New RRSIGs are generate Using signature-interval.
-- Mark Andrews > On 11 May 2022, at 18:15, Tom <[email protected]> wrote: > > Hi list > > After switching from "semi-automatic"-signing to dnssec-policy (everything > identical, except new ZSK rollover) I have the following rndc output: > > $ rndc dnssec -status example.ch > dnssec-policy: 60d_zsk_rollover > current time: Wed May 11 09:54:55 2022 > > key: 45819 (ECDSAP256SHA256), KSK > published: yes - since Mon Apr 27 08:00:01 2020 > key signing: yes - since Mon Apr 27 08:00:01 2020 > > No rollover scheduled > - goal: omnipresent > - dnskey: omnipresent > - ds: omnipresent > - key rrsig: omnipresent > > key: 17242 (ECDSAP256SHA256), ZSK > published: yes - since Mon May 9 16:25:59 2022 > zone signing: yes - since Mon May 9 17:30:59 2022 > > Next rollover scheduled on Fri Jul 8 15:25:59 2022 > - goal: omnipresent > - dnskey: omnipresent > - zone rrsig: rumoured > > key: 52021 (ECDSAP256SHA256), ZSK > published: yes - since Mon Apr 27 08:00:01 2020 > zone signing: no > > Key is retired, will be removed on Mon Jul 6 09:05:01 2020 > - goal: hidden > - dnskey: omnipresent > - zone rrsig: unretentive > > > > The ZSK 52021 is the old one (from semi-automatic), the ZSK 17242 is the new > one, which was created after reloading named while applying the new > dnssec-policy. > > The current behavior I see is, that already existing RR are still signed with > the "old" key (52021) and newly created RR are signed with the new ZSK > (17242). Is this normal behavior and yes, after which time will the existing > RR also be signed with the new ZSK (17242)? > > The dnssec-policy configuration looks like this: > > dnssec-policy "60d_zsk_rollover" { > signatures-refresh 5d; > signatures-validity 14d; > signatures-validity-dnskey 14d; > > dnskey-ttl 3600s; > publish-safety 1h; > retire-safety 1h; > purge-keys 10d; > > keys { > ksk lifetime unlimited algorithm ecdsap256sha256; > zsk lifetime 60d algorithm ecdsap256sha256; > }; > > zone-propagation-delay 300s; > max-zone-ttl 86400s; > > parent-propagation-delay 1h; > parent-ds-ttl 3600; > nsec3param iterations 0 optout no salt-length 0; > }; > > > > Many thanks for hints/explanations. > Best regards, > Tom > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > [email protected] > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
