On 2014-05-29 at 00:59 -0400, Phil Pennock wrote: > The new DNSKEY had id=33768 and when I deployed it, Bind signed the SOA > with it but nothing else.
Bind 9.10 ARM (PDF-only??): "However, if the new key is replacing an existing key of the same algorithm, then the zone will be re-signed incrementally, with signatures from the old key being replaced with signatures from the new key as their signature validity periods expire. By default, this rollover completes in 30 days, after which it will be safe to remove the old key from the DNSKEY RRset." This is the cause, isn't it? The KSK/ZSK distinction again is irrelevant here. I'm not seeing any way to fix this, while keeping the current id=53065 KSK. Is there a way to transition in a timely manner while keeping current keys? If not, if I were to use dnssec-settime to set the 53065 key to be retired in two days and generate a new KSK of same algorithm, what would the timing be on switching to the new key and getting all the records updated? I have a two hour TTL on the DS records in the parent, which are currently for 53065. Thanks, -Phil _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
