On 7/7/2011 12:37 PM, Evan Hunt wrote:
less than $dnskey_ttl seconds in the future. If the activation time were further away, it would not warn you. If it were in the past, it would use the key to sign the zone, and again it would not warn you. There's only a window of $dnskey_ttl seconds in which you'd ever see this.
Ah, ok, now it's making sense. On another review, the message wasn't generated in the forced signing after the new keys were created, it came from a run initiated by someone making an actual change that needed to be deployed. This must be the first time since we rolled it out that a change has been made within 12 hours (our default TTL) of a key rollover, which is why I'd never seen it before.
And actually, in the case of dnssec-signzone, it's a pointless message and should probably be suppressed.
Agreed :), would have saved me some confusion and unnecessary concern. For now, I can just ignore it, thanks again for the clarification of what was going on. -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | hen...@csupomona.edu California State Polytechnic University | Pomona CA 91768 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users