Hi All,
As I posted earlier, the 'RR Does Not Exist' and ods-signer would not signs
RRSIGs until it expires cause a lot of problems.
My test tlds here have their KSK rollovered every 4H and ZSK rollovered every
2H, and after days of test you can see the amount of DNSKEYS
exist in the zone file and most of which are dead.
[gtld@index zone]$ dig @202.173.9.4 dstest1 dnskey +edns=0|grep DNSKEY|wc -l
75
[gtld@index zone]$ dig @202.173.9.4 dstest2 dnskey +edns=0|grep DNSKEY|wc -l
67
It's obvious opendnssec did not remove them in the zone, I will change the
<purge> to 1H which was 14D by default, I hope this will help.
I wrote a script to do nsupdate soa to the INBOUND bind and this can make
opendnssec resign the expiring RRs,or the RRSIGs will keep expired, but it can
not solve the Lots-of-Dead-DNSKEYs problem.
I need your help guys.
Best regards,
Stuart
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
