Hello, I changed one of my domains over to dnssec-policy today (in a “nuclear” fashion) - but everything went surprisingly well. Previous to this, I had lowered all my TTLs to hopefully help with this process or any errors/mistakes I might make.
I then went to put the TTLs back to their normal higher value. What I wasn’t aware of - is the now discrepancy between the RR TTL and RRSIG TTL. DNZviz validates all the way down just fine - but I get errors on my top level common RR’s due to this mismatch. I assume over time as BIND resigns nodes, these will all get in sync ? In the meantime - is there any way to “force” BIND to resign everything ? I’m not seeing an rndc command that looks to do this. Looks like all the dnssec policy commands are under “rndc dnssec <option>”. The other commands are obviously for the “old” way of signing. So is there a way to do this ? Or do I just need to wait ? Thanks. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users