[Opendnssec-user] KSK rollover not working in time
Siôn Lloyd
sion at nominet.org.uk
Tue Jul 15 14:42:07 UTC 2014
Hi Christoph,
Firstly I should say that the current key will not be retired until you
say that the new key has appeared in the DNS... I.e. it will live on
past retirement while no key is in place to take over.
That new key must have been published at some point, but I can't tell
when from your email. Are you giving the enforcer time to run with the
changed dates before you run the key list command?
Finally, where do you get your 10 day timer from?
Sion
On 15/07/14 15:26, Christoph.Malin at vtg.at wrote:
>
> Hi,
>
>
>
> I'm playing around with opendnssec. I added a zone to openddnssec and
> it was signed.
>
> Then I changed the date of the Server to (12.07.2015) a few dates
> before the KSK retires.
>
>
>
> In the log file:
>
> Rollover of KSK expected at 2015-07-15 18:20:53 for vtg.at
>
>
>
> Also when I print the current keys:
>
> vtg.at KSK active 2015-07-15
> 18:20:53 (retire)
>
>
>
> Then I changed the date to 2015-07-16. Suddenly a second KSK was here.
>
> vtg.at KSK ready waiting for
> ds-seen (active) 2048
>
>
>
> Why was the key not generated before the retire? I want that the key
> gets generated 10 days before he expires.
>
> Otherwise the chain of trust is broken.
>
>
>
> Can anybody help me?
>
>
>
> Best regards,
>
> Christoph
>
>
>
>
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140715/66157662/attachment.htm>
More information about the Opendnssec-user
mailing list