[Opendnssec-develop] Off-by-one error and new year

Yuri Schaeffer yuri at NLnetLabs.nl
Tue Dec 27 12:25:10 UTC 2011


> Ok, so you will never have a signature in the zone where there is no DNSKEY?

Correct.

> The Signer Engine will do a smooth transition between keys, but in
> this case you will have a signature that is valid for a year extra. At
> some point will the Enforcer remove the DNSKEY, because it thinks that
> all of the signatures have been replaced.

Yes, At this point the signer will start to sweat. Doing all the work at
once, instead of during the last validity period.

-- 
Yuri Schaeffer
NLnet Labs
http://www.nlnetlabs.nl



More information about the Opendnssec-develop mailing list