[Opendnssec-develop] Off-by-one error and new year

Yuri Schaeffer yuri at NLnetLabs.nl
Tue Dec 27 12:25:10 UTC 2011

> Ok, so you will never have a signature in the zone where there is no DNSKEY?


> The Signer Engine will do a smooth transition between keys, but in
> this case you will have a signature that is valid for a year extra. At
> some point will the Enforcer remove the DNSKEY, because it thinks that
> all of the signatures have been replaced.

Yes, At this point the signer will start to sweat. Doing all the work at
once, instead of during the last validity period.

Yuri Schaeffer
NLnet Labs

More information about the Opendnssec-develop mailing list