> I don't think that bind trying to sign with non-existent key will do any harm > - probably just warning. > But it's simpler - change metadata of the key - set deletion time to the time > you want the key to be deleted (like DS deletion time+TTL). > Bind with auto-dnnsec allow re-reads the metadata and should remove the key > and all the signatures at that time. > You don't need nsupdate nor update-policy for that.
Thanks very much. My experience with changing the timing metadata or removing the key files is that named issues a warning like the following: zone <zone>/IN: Key <zone>/<algorithm>/<key tag> missing or inactive and has no replacement: retaining signatures. In this circumstance none of the RRSIGs or NSECs are removed. They sit there indefinitely even after the RRSIGs expire. Best regards, Jeff. Jeffry A. Spain Network Administrator Cincinnati Country Day School _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users