<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=us-ascii" http-equiv=Content-Type>
<STYLE>
BLOCKQUOTE {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px; MARGIN-LEFT: 2em
}
OL {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
UL {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
P {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
BODY {
LINE-HEIGHT: 1.5; FONT-FAMILY: 宋体; COLOR: #000000; FONT-SIZE: 10.5pt
}
</STYLE>
<META name=GENERATOR content="MSHTML 8.00.6001.18702"></HEAD>
<BODY style="MARGIN: 10px">
<DIV><SPAN>Hi,</SPAN></DIV>
<DIV><SPAN></SPAN> </DIV>
<DIV><SPAN>I'm testing KSK rollover, when the newly created KSK is set active by
ds-seen, the old KSK became retired, but the DNSKEY is still signed by the old
KSK after resigning , the new KSK is not used at all. I used to think there
should be two RRSIG </SPAN><SPAN>DNSKEYs because of Double Signing. When will
the new KSK be used for signing? When will the old KSK get deleted? The DS is
valid in parent zone now, but I can not delete the old DS because new KSK
is not used by ods-signer.</SPAN></DIV>
<DIV><SPAN></SPAN> </DIV>
<DIV><SPAN></SPAN> </DIV>
<DIV><SPAN>Best regards,</SPAN></DIV>
<DIV><SPAN>Stuart</SPAN></DIV></BODY></HTML>