[Opendnssec-develop] Re: [Opendnssec-otr] Off-by-one error and new year
matthijs at nlnetlabs.nl
Tue Jan 17 13:15:45 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
On 01/17/2012 02:00 PM, Rickard Bellgrim wrote:
>>> Remove the affected signatures:
>>> If there are signatures in the zone with extra long validity periods,
>>> then it is recommended to drop all of the signatures and re-sign the
>>> zone. This can be done with the following commands:
>>>> ods-signer clear <zone>
>>>> ods-signer sign <zone>
>> This temporarily breaks the domain's validity, right? This
>> should be avoided if possible -- which I think it is.
> "ods-signer clear" will clear the internal signatures. New ones will
> be created and distributed during the next scheduled re-sign. The sign
> command will force this to happen now.
> The keys are still there, just that we get a new set of signatures.
> Nothing will break here.
Rickard is right here (and faster than me with typing ;)).
>>> The issue has been fixed in ldns 1.6.12. Upgrade to this version in
>>> order to not get affected the next time.
>> "next time" meaning "you should upgrade to the new LDNS before the
>> end of the current year" right?
> Yes, will fix that text.
The next time the bug will have effect is 1st of January 2014. That date
will be converted to December 31 2016.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop