Tom <tomtux...@gmail.com> wrote: > Does the "inline-signing"-mechanism also automatically renew the > expiration-time of the RRSIGs?
Yes. > If so: When or in which interval does BIND verify the expiration-times > of the RRSIGs and renew them? The documentation for sig-validity-interval says renewal time is 1/4 of the validity period, so for your 1 day interval, 6 hours before expiry. sig-validity-interval Specifies the number of days into the future when DNSSEC signatures automatically generated as a result of dynamic updates (Section 4.2) will expire. There is an optional second field which specifies how long before expiry that the signatures will be regenerated. If not specified, the signatures will be regenerated at 1/4 of base interval. The second field is specified in days if the base interval is greater than 7 days otherwise it is specified in hours. The default base interval is 30 days giving a re-signing interval of 7 1/2 days. The maximum values are 10 years (3660 days). The signature inception time is unconditionally set to one hour before the current time to allow for a limited amount of clock skew. The sig-validity-interval should be, at least, several multiples of the SOA expire interval to allow for reasonable interaction between the various timer and expiry dates. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ South Utsire: Westerly 3 or 4, backing southerly 4 or 5. Slight or moderate. Showers. Good. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users