> On 2nd of July I stopped OpenDNSSEC and emptied > /usr/local/var/opendnssec/tmp/. Once started, all zones were resigned, > and I can see the SOA for all zones set to 2017070200 on the public > DNS. Since then there was nothing resigned, except for one zone with > ZSK renewed.
Right. So on the 2nd of July everything was signed from scratch. You configured a 14 day validity with a 12 hour jitter. If there are no changes to the zone from now the first signature to expire should be around the 15th or 16th of July. So this is perfectly expected behaviour. After some time this jitter will accumulate and spread the expiring of signatures to a more even distribution. External changes to the zone will speed up this process. //Yuri
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
