[Opendnssec-develop] Off-by-one error and new year

Rickard Bellgrim rickard at opendnssec.org
Tue Dec 27 12:31:47 UTC 2011

>> The Signer Engine will do a smooth transition between keys, but in
>> this case you will have a signature that is valid for a year extra. At
>> some point will the Enforcer remove the DNSKEY, because it thinks that
>> all of the signatures have been replaced.
> Yes, At this point the signer will start to sweat. Doing all the work at
> once, instead of during the last validity period.

So the conclusion is that there will be no post-publication of the
DNSKEY for this signature, right?

More information about the Opendnssec-develop mailing list