> On 26 Feb 2020, at 08:40, Alan Batie <a...@peak.org> wrote: > > On 2/25/20 1:30 PM, Mark Andrews wrote: >> Firstly unset the deletion date for the old key. It is way >> too early for incremental re-signing. Named replaces RRSIG >> *as-they-fall-due* for re-signing. With the defaults that >> takes 22.5 days with a sig-validity-interval of 30 days. >> >> All Inactivation does is STOP named signing records with that >> key. It does NOT cause old RRSIGs to be replaced. This is >> deliberate. >> >> You are using offline signing timings where everything in the >> zone is re-signed at once. To use the offline time model just >> use 22.5 days as the time to sign the zone rather than the fictional >> 0 seconds. > > I'm supposedly using inline-signing: > auto-dnssec maintain; > inline-signing yes; > > I set the time as short as I could as I really don't want to wait a > month to see the rollover happen, but I suspect (and I think that's what > you said above) it's the date in the rrsig record that actually matters.
You could set "sig-validity-interval to 30 29;” if you want to see things happen faster. This causes the RRSIGs to have a 30 day validity interval and be re-signed 29 days before that expires. Remember with DNSSEC you never move onto the next step without checking that the last step completed first. The next step can always be stalled. This applies to both online and offline signing. There are lots of “wait until xxx” in DNSSEC maintenance. Don’t schedule multiple steps at once. Even with a single machine unexpected events can happen. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
