On 03/10/2011 13:45, Torinthiel wrote: > On 2011-10-01 11:40, Matthew Seaman wrote:
>> dnssec-signzone will grok all the built-in dates and do the right thing
>> when you sign the zone.
> BTW, how does dnssec-signzone behave when you pass -s option? Does it
> take into account that date when determining whether to use/publish key?
> Can one for example generate signatures for the future using
> dnssec-signzone, or is it possible only with careful manual inclusion?
If the date or offset you specify via the -s option is outside the
period of activation of a key, then dnsssec-signzone won't use that key
to sign that RR. So if you're trying to manage keys manually you will
need to resign the zone once the activation date plus 1 hour has passed
-- assuming you take the defaults for '-s' -- to pick up the RRSIGs made
with the new key.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
