[Opendnssec-user] Auditor and KSK rollovers
Antti Ristimäki
aristima at csc.fi
Tue Jun 22 06:46:55 UTC 2010
Hi,
It seems that the ods-auditor doesn't deal perfectly with the current
(version 1.1.0) KSK rollover logic. When the KSK rollover is being
initiated (that is, a new KSK is introduced in the zone and used to sign
the DNSKEY RRset) and when the zone is signed for the next time, the
auditor complains:
ods-auditor[3894]: Key (32345) has gone straight to active use without a prepublished phase
The auditor seems to expect that a new key is always prepublished, as is
done with ZSK rollovers.
When the zone is signed for the second time after KSK rollover
initiation, the auditor passes normally. So, currently we will miss one
zone update round when KSK is rolled and the auditor is used. This is
not a major issue, but not a desired behaviour, either.
Regards,
Antti
More information about the Opendnssec-user
mailing list