Re: DNSSEC and automatic renewal of RRSIG-expiration-time

[Tony Finch]

Tom  wrote:

> Does the "inline-signing"-mechanism also automatically renew the
> expiration-time of the RRSIGs?

Yes.

> If so: When or in which interval does BIND verify the expiration-times
> of the RRSIGs and renew them?

The documentation for sig-validity-interval says renewal time is 1/4 of
the validity period, so for your 1 day interval, 6 hours before expiry.

sig-validity-interval

Specifies the number of days into the future when DNSSEC signatures
automatically generated as a result of dynamic updates (Section 4.2) will
expire. There is an optional second field which specifies how long before
expiry that the signatures will be regenerated.  If not specified, the
signatures will be regenerated at 1/4 of base interval.  The second field
is specified in days if the base interval is greater than 7 days otherwise
it is specified in hours. The default base interval is 30 days giving a
re-signing interval of 7 1/2 days. The maximum values are 10 years (3660
days).

The signature inception time is unconditionally set to one hour before the
current time to allow for a limited amount of clock skew.

The sig-validity-interval should be, at least, several multiples of the
SOA expire interval to allow for reasonable interaction between the
various timer and expiry dates.

Tony.
-- 
f.anthony.n.finch    http://dotat.at/
South Utsire: Westerly 3 or 4, backing southerly 4 or 5. Slight or moderate.
Showers. Good.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNSSEC and automatic renewal of RRSIG-expiration-time

[Tom]

Hi list

Using latest BIND (9.12.1) with dnssec and inline-signing enabled. 
SIG-VALIDITY-INTERVAL is set to 1 day (for testing).

Look the following RRSIG:

test01.example.com. 300 IN RRSIG A 8 3 300 (
20180504060124 20180503052321 1 test01.example.com.
rUch7bFR18Nmaeu+gqS29fG8oTPQm1SIBe9x+0iVPpXw
GnXBy6bZacXiBwYPjgJd7GK+3giGq/Mw2URXexW8PuuV
IGBz8bRUczNbQPHsaZUWXlv32RelJArykWB8S/N5pvOn
r8Q9w4asKR6JNiDnzoF/09EVlSyXvaluVrZT7kMGKdgC
OB7H20kwcBkGdwUYMclna2XmddQMeicc5yjxglQgpg89
48Om5L8A0hjGDQEyTTTaOA91D+7/F2yI99TPvSYizC+6
vYUoleAIWQi3GRG/KJRd9N8OouZIYgOtf2jKPwsEQwhQ
sS7G3w4BxrkEB8Q8btx5CWaKX2CVD8Jv2A== )

The record does expire in a few hours.
Does the "inline-signing"-mechanism also automatically renew the 
expiration-time of the RRSIGs? If so: When or in which interval does 
BIND verify the expiration-times of the RRSIGs and renew them? If no, 
what do I have to do, to force BIND automatically to renew the RRSIGs?


Thank you.
Kind regards,
Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users