Am 25.05.2012 um 14:16 schrieb Tony Finch: > Axel Rau <axel....@chaos1.de> wrote: >> >> The tags of the KSKs with their dates are (set with dnssec-settime): >> --- >> [framail.de/KSK/1699/8(A:2012-05-23T17:55:02, I:2012-05-27T17:55:02, >> D:2012-05-28T17:55:02)] >> [framail.de/KSK/46210/8(A:2012-05-20T16:55:03, I:2012-05-24T16:55:03, >> D:2012-05-25T16:55:03)] >> --- >> 46210 is inactive and still used to sign DNSKEYs (from dig +dnssec DNSKEY >> framail.de. at 2012-05-25T13:55) : >> --- >> framail.de. 86400 IN RRSIG DNSKEY 8 2 86400 20120622185603 >> 20120523175603 46210 framail.de... >> framail.de. 86400 IN RRSIG DNSKEY 8 2 86400 20120623175502 >> 20120524165502 1699 framail.de... >> --- >> Shouln't named have ceased signing keys with this key? > > The 46210 signature's inception date is 2012-05-23 which is before its > key's inactive date 2012-05-24. That's true, but this sig does not live until its expire time at 2012-06-22. In my case, it disappeared on 2012-05-26 between 15:55 and 16:55.
Questions: Why did it disappear at that time? In general terms, at which point of time can I be sure that all sigs are removed? Axel --- PGP-Key:29E99DD6 ☀ +49 151 2300 9283 ☀ computing @ chaos claudius _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
