On Tue, Jul 05, 2011 at 02:28:13PM -0700, Paul B. Henson wrote: > I saw this message from dnssec-signzone around the time a previously > published key was due to be activated, and I'm not quite sure what it > means. Google is uncharacteristically silent about it ;). > > If someone could offer an explanation of why the activation was delayed > and whether I should care it would be much appreciated, thanks...
The key is being published now, and its activation date (i.e., when it will start to be used to sign records) is in the near future: less than the TTL of the DNSKEY record from now. When the key starts signing, then someone could get an RRSIG generated by that key... but, if that same someone had a cached copy of the DNSKEY record from *before* the key was published, then validation could fail. So, what it's telling you is that named won't start signing records with this key until after the old DNSKEY record is guaranteed to have expired out of all the resolver caches. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users