<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi Rick, <br>
<br>
I understand that the KSK stays a while in the zone file so that
key sets signed with this key can expire from caches. But why is
the KSK in retired state still used to sign the DNSKEY set ?
Looking further in to it I also see that KSK`s in the publish
state produce RRSIGS for the Keyset. <br>
Problably this is by design. For ZSK`s only the one in the ready
state is used for signing. But probably all the KSK`s,
independently of state, produce a DNSKEY RRSIG. <br>
<br>
Maurice <br>
<br>
<br>
<br>
On 11/19/2015 01:28 PM, Rick van Rein wrote:<br>
</div>
<blockquote cite="mid:564DC063.3020306@openfortress.nl" type="cite">
<pre wrap="">Hi Maurice,
</pre>
<blockquote type="cite">
<pre wrap="">When using OpenDNSSEC, I see that DNSKEY sets are signed with keys
that are in the retire state.
Why does this happen ?
</pre>
</blockquote>
<pre wrap="">
Even if OpenDNSSEC is aware that a key is to be retired, it doesn't mean that the rest of the World knows; DNS caches may still have the key loaded as a trusted validator, and want to be able to validate the zone based on it.
-Rick
</pre>
</blockquote>
<br>
<br>
<div class="moz-signature">-- <br>
<table
style="color:#000000;font-family:georgia;font-size:8pt;line-height:12pt;margin-left:-4px;padding:0;">
<tbody>
<tr>
<td style="font-size:10pt;line-height:12pt;"> Maurice Mahieu
</td>
</tr>
<tr>
<td
style="font-size:10pt;line-height:12pt;padding-bottom:10pt;">
System Engineer | <a href="mailto:maurice@info.nl"
style="color:#000;text-decoration:none;">maurice@info.nl</a>
| <a href="tel:+31205309111"
style="color:#000;text-decoration:none;">+31 (0)20 53 09
111</a> </td>
</tr>
<tr>
<td style="font-size:10pt;line-height:16pt;padding-bottom:0;
padding-top: 3px;"> <a href="http://www.info.nl"
style="text-decoration:none;"> <span
style="background-color:#000;color:#fff;font-size:13pt;text-decoration:none;display:inline-block;padding:4px
3px
1px;line-height:1;margin-bottom:-5px;margin-right:-5px;-webkit-font-smoothing:
antialiased;"><no link="">info.nl</no></span> </a>
<a
href="http://www.info.nl/nl?utm_source=e-mail_sig&utm_medium=e-mail&utm_term=connecting_the_dots&utm_campaign=info_sig"
style="color:#000;text-decoration:none;"><em
style="color:#000;text-decoration:none;">making
platforms work</em></a> </td>
</tr>
<tr>
<td
style="font-family:georgia;font-size:10pt;line-height:12pt;color:#000;
padding-top: 0;"> Sint Antoniesbreestraat 16 | 1011 HB
Amsterdam | <a href="tel:+31205309100"
style="color:#000;text-decoration:none;">+31 (0)20 530
91 00</a> </td>
</tr>
<tr>
<td style="font-size:10pt;line-height:12pt;"> <a
style="color:#000;text-decoration:none;"
href="https://www.facebook.com/infonl">Facebook</a> | <a
style="color:#000;text-decoration:none;"
href="https://twitter.com/infonl">Twitter</a> | <a
style="color:#000;text-decoration:none;"
href="https://www.linkedin.com/company/info.nl">LinkedIn</a> |
<a style="color:#000;text-decoration:none;"
href="https://plus.google.com/+infonl/">Google+</a> </td>
</tr>
</tbody>
</table>
</div>
</body>
</html>