[Opendnssec-develop] Off-by-one error and new year

Yuri Schaeffer yuri at NLnetLabs.nl
Tue Dec 27 11:20:46 UTC 2011

> Due to this error, you could get signatures that are valid for one
> year extra. What happens if you leave the signature in the zone? Will
> it be removed during the next key rollover?

Assuming only the signer is affected: When the enforcer rolls to a new
key then at some point it will remove the references to the old key from
the signconf. The signer will then promptly drop all (still valid)
signatures of that old key.

Normally the signer will gradually roll from one key to the next. In
this scenario your whole zone gets signed at once as the signer can
reuse every signature till the very last moment.

So I guess the cpu temperature will rise a bit for one time during that


Yuri Schaeffer
NLnet Labs

More information about the Opendnssec-develop mailing list