In message
, Jim
Popovitch writes:
> Hello,
>
> I recently rollled out auto-dnssec and inline-signing (v9.9.5), and
> today (1-Oct 00:00 UTC) was the first automatic zsk rollover.
> According to http://dnsviz.net/d/domainmail.org/dnssec/ it appears
> that the SOA is signed by the new zsk, but the rest of the RRs are
> still signed by the old. That concerns me. Is it as simple as
> cached responses?
Named re-signs RRsets as they fall due. The key(s) that will sign
the set is determined by whether it is active or not at that point
in time. Named does not re-sign the whole zone just because a key
became active. As long as both the new and old keys are in the
DNSKEY RRet until the last RRset is re-signed and the old signature
have timed out of caches everything will validate.
Named's primary job is to answer queries. It's secondary job is
to re-sign RRsets. Re-signing to early is just wasting computing
resources and takes named away from its primary role.
A key rollover should looks like this:
key1 P
key2 SSP--
key3 -PSSS
key4 ---PS
sigs MMM222MMM333M
S = Signing and published
P = Publish only
- = does not exist in the zone
M = mixed signatures in the zone
2 = only keys2 signatures
3 = only keys3 signatures
> -Jim P.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
