[Opendnssec-user] KSK in state READY is used for signing?

Jakob Schlyter jakob at kirei.se
Fri Jun 13 11:58:20 UTC 2014

On 13 jun 2014, at 13:52, Petr Spacek <pspacek at redhat.com> wrote:

> I would expect that <KSK /> flag appears only after ds-seen command, i.e. when the key reaches ACTIVE state.
> It is intentional or is it a bug?

The KSK key rollover works by signing the DNSKEY RRset with all ready/active keys (aka double sign), so this is intentional.


More information about the Opendnssec-user mailing list