[Opendnssec-user] KSK in state READY is used for signing?
jakob at kirei.se
Fri Jun 13 11:58:20 UTC 2014
On 13 jun 2014, at 13:52, Petr Spacek <pspacek at redhat.com> wrote:
> I would expect that <KSK /> flag appears only after ds-seen command, i.e. when the key reaches ACTIVE state.
> It is intentional or is it a bug?
The KSK key rollover works by signing the DNSKEY RRset with all ready/active keys (aka double sign), so this is intentional.
More information about the Opendnssec-user