...
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
...
As shown in the sample RRSIG record in RRSIG Resource Records, the signatures have an inception and an expiration time. The default validity period of signatures in RRSIG records on the Grid Master is four days. You can change this default, as long as it is not less than one day or more than 3660 days. The Grid Master automatically renews signatures before their expiration date.
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
...
When you modify the algorithms for a signed zone, you can apply the algorithm changes to the zone, as described in Applying the Algorithm Changes or you can unsign the zone and sign it again. For an unsigned zone however, you can apply the algorithm changes by signing the zone. For information about signing a zone, see Signing a Zone.
When you re-sign a zone after adding an algorithm, the DNSKEY key pairs of the old algorithms are rolled over and all the old RRSIG records are removed. The zone is re-signed with the new DNSKEY key pairs. When you re-sign a zone after removing an algorithm, the DNSKEY key pairs of the remaining algorithms are rolled over and the DNSKEY key pairs of the removed algorithm is removed. All old RRSIG records are removed and the zone is re-signed with the new DNSKEY key pairs.
...
Note: If you add or remove a KSK algorithm from a zone, you must update the DS RRsets at the parent zone when the parent zone is managed by a non-Infoblox DNS server or an Infoblox server that is part of a different Grid. For information, see Importing a Keyset.
...