On 23 Jul 2008, at 4:18, Paul Schmehl wrote:
WRONG. You need to re-sign the zone an expire period before the signatures expire. You need to generate new keys periodically but no where near every 30 days.OK. I misspoke. I got the 30 days from Andrew Clegg's presentation and confused keys with signatures. But still, you have to resign *every* zone every 30 days.
Don't forget to bump the zone serial too... as your secondaries will not catch up otherwise and start serving expired RRSIG's, leaving your zone dead in the water.
- R
PGP.sig
Description: This is a digitally signed message part
