[Opendnssec-user] "error creating RRSIG" because of retired and purged ZSK
Mathieu Arnold
mat at mat.cc
Mon Oct 24 11:58:51 UTC 2011
+--On 24 octobre 2011 13:16:12 +0200 Peter Olsson <pol at leissner.se> wrote:
| (Now what will happen when there are cached records out there
| with the purged ZSK? Is there a risk of complete zone failure,
| should I remove DS and start DNSSec fresh?)
Well, compare the DS TTL and the RRSIG TTL, you'll have your answer, but I
think the former has longer TTL than the second. (It was the case for me,
and was simpler to for a complete resign of the zone and wait for the storm
to pass.)
--
Mathieu Arnold
More information about the Opendnssec-user
mailing list