Hello, So I reconfigured one of my domains to use dnssec-policy. I’m using the policy “default” + I’ve only added nsec3 stuff. All other timers / params are from default. Working fine / as expected.
Luckily for me this is a domain that I don’t use much. So outages and mistakes are easily tolerable. After a bumpy start, I have the zone “happy” - that is, fully signed, DS in parent, and all timers reading “omnipresent”. I’m trying to use this ISC KB as a guide: https://kb.isc.org/docs/dnssec-key-and-signing-policy So I decided to try a rollover. So I did: rndc dnssec -rollover -key 12345 -when 20221122230000 example.com <http://example.com/> This now shows up as scheduled in rndc dnssec -status. However, I expected BIND to create a successor CSK. Nothing in the key dir, nothing in logs, nothing in rndc status. The whole point of course is to have two “overlapping” keys, two DS’es, i.e. two chains of trust. And then when everything is happy timer-wise, the old key (and DS) can go away. Is BIND going to do this sometime before the actual rollover ? Or is there something else I need to do ? Speaking of this - what exactly happens at the rollover time ? Thanks. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
