[Opendnssec-user] Key rollover issue...what am I doing wrong?
jake at elsif.net
Tue Nov 6 15:17:42 UTC 2012
SQLite database set to: /var/opendnssec/kasp.db
Zone: Keytype: State: Date of next
transition (to): Size: Algorithm: CKA_ID: Repository:
<snip> KSK ready waiting for
ds-seen (active) 2048 8 4e73113d40c313a459d91ba0efe4b7c7
<snip> ZSK retire 2012-11-13
05:47:10 (dead) 1024 8 8b28e3a000a937d4c4e4e33774e35c3a
<snip> ZSK active 2012-12-05
16:47:10 (retire) 1024 8 07b751af4606264c62767c6894f41e3f
Yesterday the ZSK rollover occurred. 19855 moved to "retire", "7645" was
selected as the next key and made "active".
ODS hasn't used the new "7645" key yet. It's been 14 hours, 14 signings.
I nuked the old signed zone thinking that perhaps it was re-using old
signatures and hadn't required signing with the new key yet, but that's
had no effect.
So...when exactly is ODS supposed to start mentioning the "active" key in
More information about the Opendnssec-user