Sorry to self-reply… I’m still getting used to dnssec-policy. With the RRSIGs directly in the zone file now I was having some trouble. I think I got it now - I needed to change the TTL on a given RR, and delete the RRSIG for that RR. Lather, rinse, repeat for any/all other RR’s. BIND will make new RRSIGs for these “new” RRs (new by virtue of having a diff TTL and no RRSIG…) I think it makes sense now - but I welcome any other clarification or comments.
Sorry for the noise. Thanks. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
