On 2/25/20 1:30 PM, Mark Andrews wrote: > Firstly unset the deletion date for the old key. It is way > too early for incremental re-signing. Named replaces RRSIG > *as-they-fall-due* for re-signing. With the defaults that > takes 22.5 days with a sig-validity-interval of 30 days. > > All Inactivation does is STOP named signing records with that > key. It does NOT cause old RRSIGs to be replaced. This is > deliberate. > > You are using offline signing timings where everything in the > zone is re-signed at once. To use the offline time model just > use 22.5 days as the time to sign the zone rather than the fictional > 0 seconds.
I'm supposedly using inline-signing:
auto-dnssec maintain;
inline-signing yes;
I set the time as short as I could as I really don't want to wait a
month to see the rollover happen, but I suspect (and I think that's what
you said above) it's the date in the rrsig record that actually matters.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
