[Opendnssec-develop] Off-by-one error and new year
Rickard Bellgrim
rickard at opendnssec.org
Tue Dec 27 11:59:34 UTC 2011
> Assuming only the signer is affected: When the enforcer rolls to a new
> key then at some point it will remove the references to the old key from
> the signconf. The signer will then promptly drop all (still valid)
> signatures of that old key.
>
> Normally the signer will gradually roll from one key to the next. In
> this scenario your whole zone gets signed at once as the signer can
> reuse every signature till the very last moment.
Ok, so you will never have a signature in the zone where there is no DNSKEY?
The Signer Engine will do a smooth transition between keys, but in
this case you will have a signature that is valid for a year extra. At
some point will the Enforcer remove the DNSKEY, because it thinks that
all of the signatures have been replaced.
// Rickard
More information about the Opendnssec-develop
mailing list