[Opendnssec-user]KSK rollover issue
Siôn Lloyd
sion at nominet.org.uk
Mon Sep 3 09:52:12 UTC 2012
On 27/08/12 07:01, Áõ˶ wrote:
> Hi,
> I'm testing KSK rollover, when the newly created KSK is set active by
> ds-seen, the old KSK became retired, but the DNSKEY is still signed by
> the old KSK after resigning , the new KSK is not used at all. I used
> to think there should be two RRSIG DNSKEYs because of Double Signing.
> When will the new KSK be used for signing? When will the old KSK get
> deleted? The DS is valid in parent zone now, but I can not delete the
> old DS because new KSK is not used by ods-signer.
>
Hi Stuart.
Is it possible that something is preventing the signconf xml file from
being written? If this is the case then the signer will not change the
keys it uses.
Sion
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20120903/207f4aa1/attachment.htm>
More information about the Opendnssec-user
mailing list