[Opendnssec-user]KSK rollover issue

=?us-ascii?B?wfXLtg==?= shuoleo at 126.com
Mon Aug 27 06:01:03 UTC 2012


Hi,

I'm testing KSK rollover, when the newly created KSK is set active by ds-seen, the old KSK became retired, but the DNSKEY is still signed by the old KSK after resigning , the new KSK is not used at all. I used to think there should be two RRSIG DNSKEYs because of Double Signing. When will the new KSK be used for signing? When will the old KSK get deleted? The DS is valid in parent zone now, but I can not delete the old DS because new KSK is not used by ods-signer.


Best regards,
Stuart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20120827/f5a3ef80/attachment.htm>


More information about the Opendnssec-user mailing list