[Opendnssec-user] ZSK rollover and resigning

Bruno Goossens bruno.goossens at belnet.be
Fri Feb 11 14:09:01 UTC 2011


We noticed in ODS 1.2.0 (stable) that when we do a ZSK rollover, only new records are signed with
the new ZSK.
ODS is reusing signatures made with the retired ZSK. As a result, the old ZSK stays in the zone as a
retired key for 3 weeks ( = our signature validity period)

We expected that from the moment the new ZSK became active, ALL records would be resigned with this
new key.
And the retired ZSK would be removed after some time (depending on TTL and safety margins), and
definitely less than 3 weeks.

On another system with ODS 1.1.3, all records are resigned at the moment of the ZSK rollover.

So is this normal in ODS 1.2.0, and did it change between v1.1.3 and 1.2.0?

Thanks for clearing this up.

Kind regards,
Bruno Goossens

More information about the Opendnssec-user mailing list