rom: Tony Finch <d...@dotat.at>
Date: Thursday, July 14, 2016 at 3:17 AM
To: Mathew Eis <mathew@nau.edu>
Cc: "bind-users@lists.isc.org" <bind-users@lists.isc.org>
Subject: Re: auto-dnssec maintain and DNSKEY removal
Mathew Ian Eis <mathew@nau.edu> wro
Mathew Ian Eis wrote:
>
> sig-validity-interval seems to only affect the expiration date of newly
> created signatures, and of course signatures are only rolling over to
> new keys as they expire.
>
> I am wondering if I can ask bind to set the expiration for, say 30 days
>
,
Mathew Eis
-Original Message-
From: Tony Finch <d...@dotat.at>
Date: Wednesday, July 6, 2016 at 2:48 AM
To: Mathew Eis <mathew@nau.edu>
Cc: "bind-users@lists.isc.org" <bind-users@lists.isc.org>
Subject: Re: auto-dnssec maintain and DNSKEY removal
Mathew
Mathew Ian Eis wrote:
>
> Does all of that sound right?
I believe so, yes.
Tony.
--
f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode
Humber, Thames, Dover, Wight, Portland, Plymouth, North Biscay: Northwesterly,
backing southwesterly, 3 or 4,
gt;
Subject: Re: auto-dnssec maintain and DNSKEY removal
Mathew Ian Eis <mathew@nau.edu> wrote:
>
> > Are you allowing enough time for named to go through a zone key maintenance
> > cycle? (which is hourly if I remember correctly)
>
> I’m not sure, it sounds
Mathew Ian Eis wrote:
>
> > Are you allowing enough time for named to go through a zone key
> > maintenance cycle? (which is hourly if I remember correctly)
>
> I’m not sure, it sounds like perhaps not always? You’ve
> mentioned a “zone
> key maintenance cycle” of an hour, and
nd-users@lists.isc.org" <bind-users@lists.isc.org>
Subject: Re: auto-dnssec maintain and DNSKEY removal
Mathew Ian Eis <mathew@nau.edu> wrote:
>
> We think that in some cases, named may be choosing to use a key past the
> removal date (as in [2]), while our file maint
Mathew Ian Eis wrote:
>
> We think that in some cases, named may be choosing to use a key past the
> removal date (as in [2]), while our file maintenance process removes the
> keys as per their deletion date – after which named no longer has the
> necessary metadata to
Hi BIND,
The documentation for auto-dnssec maintain suggests that named will remove
DNSKEYs from zones when the deletion time marked in the metadata occurs [1].
Unfortunately, it seems this is not always the case.
We are currently trying to diagnose the source of residual DNSKEYs in our zones
9 matches
Mail list logo