Phil Mayers <p.may...@imperial.ac.uk> wrote: > > I first create and publish a new ZSK with no activation date. After waiting > the requisite amount of time, I use dnssec-settime: > > dnssec-settime -A K<newid> > dnssec-settime -I K<oldid> > rndc sign <zone> > > ...and bind immediately starts using the new key for sigs. After 0.75*30 days, > all the RRSIG with the old key have been replaced except for one - the RRSIG > on the zone apex DNSKEY record. Unfortunately, this RRSIG is not regenerated, > or removed; it expires, and causes various monitoring tools (including the ISC > DLV web UI) to complain. > > Is this a bug in bind 9.7.0 which is fixed in a later version?
Possibly this: 3020. [bug] auto-dnssec failed to correctly update the zone when changing the DNSKEY RRset. [RT #23232] dnssec-dnskey-kskonly might be a workaround... Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Trafalgar: Northwesterly 5 or 6 in southeast Trafalgar, otherwise variable 3 or 4, becoming cyclonic 5 to 7, perhaps gale 8 later in south Biscay and southeast Fitzroy. Moderate or rough. Rain or showers. Good, occasionally poor. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users