[Opendnssec-user] Re: Key rollover over due
sion at nominet.org.uk
Mon Jul 23 13:58:43 UTC 2012
On 23/07/12 07:40, Jerry Lundström wrote:
> Hi Fred,
> On Fri, Jul 20, 2012 at 1:19 PM, Fred Zwarts (KVI) <F.Zwarts at kvi.nl> wrote:
>> What does that mean exactly? Will OpenDNSSEC continue to sign the zone with
>> the old key until the backup notification is done, or will it stop signing
>> the zone, because the old key is retiring and the new key is not yet ready?
> For what I know, if the Signer have received a key to sign the zone
> with it will continue to do that. Key management is handled by the
> Enforcer and it will not use a new key until you back it up if that
> repository is marked with RequireBackup.
This is correct, the old key will remain in use until the new key is
considered safe to use, i.e. it has been marked as backed up.
If you use the auditor it will start complaining that a key has been in
use for longer than your policy allows, this will just be a warning
however and should not stop zone publication.
More information about the Opendnssec-user