On 2/25/20 2:22 PM, Mark Andrews wrote: > You could set "sig-validity-interval to 30 29;” if you want to see things > happen > faster. This causes the RRSIGs to have a 30 day validity interval and be > re-signed > 29 days before that expires.
That sounds like a useful option, thanks! > Remember with DNSSEC you never move onto the next step without checking that > the > last step completed first. The next step can always be stalled. This > applies to both > online and offline signing. There are lots of “wait until xxx” in DNSSEC > maintenance. > Don’t schedule multiple steps at once. Even with a single machine unexpected > events > can happen. Yup: publish, activate, deactivate, delete. I've been letting it generate rrsigs for a long time now, but figured it was time I get the rollover process worked out so I can actually get dnssec enabled (with the DS record tie-in) and be sure it's not going to break at some random time in the future.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users