On 03/10/2011 13:45, Torinthiel wrote: > On 2011-10-01 11:40, Matthew Seaman wrote:
>> dnssec-signzone will grok all the built-in dates and do the right thing >> when you sign the zone. > BTW, how does dnssec-signzone behave when you pass -s option? Does it > take into account that date when determining whether to use/publish key? > Can one for example generate signatures for the future using > dnssec-signzone, or is it possible only with careful manual inclusion? If the date or offset you specify via the -s option is outside the period of activation of a key, then dnsssec-signzone won't use that key to sign that RR. So if you're trying to manage keys manually you will need to resign the zone once the activation date plus 1 hour has passed -- assuming you take the defaults for '-s' -- to pick up the RRSIGs made with the new key. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users