[Opendnssec-user] Re: Key rollover over due

Siôn Lloyd sion at nominet.org.uk
Mon Jul 23 13:58:43 UTC 2012

On 23/07/12 07:40, Jerry Lundström wrote:
> Hi Fred,
> On Fri, Jul 20, 2012 at 1:19 PM, Fred Zwarts (KVI) <F.Zwarts at kvi.nl> wrote:
>> What does that mean exactly? Will OpenDNSSEC continue to sign the zone with
>> the old key until the backup notification is done, or will it stop signing
>> the zone, because the old key is retiring and the new key is not yet ready?
> For what I know, if the Signer have received a key to sign the zone
> with it will continue to do that. Key management is handled by the
> Enforcer and it will not use a new key until you back it up if that
> repository is marked with RequireBackup.

This is correct, the old key will remain in use until the new key is 
considered safe to use, i.e. it has been marked as backed up.

If you use the auditor it will start complaining that a key has been in 
use for longer than your policy allows, this will just be a warning 
however and should not stop zone publication.


More information about the Opendnssec-user mailing list