[Opendnssec-user] About the lifetime for ZSK
Yuri Schaeffer
yuri at nlnetlabs.nl
Tue Dec 1 13:33:07 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi gaolei,
> A key in 'retire' status seems to still being used to sign new RR.
> But the 'active' key was not used to generate signature of RR. Does
> it mean the OPENDNSSEC was working abnormally?
That indeed seems abnormal. My guess is that -for whatever reason- the
signer did not pick up the changes signer configuration output by the
enforcer.
Does "ods-signer update testzone17" help?
Then add a new record and check with which key it was signed.
//Yuri
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iEYEARECAAYFAlZdoZIACgkQI3PTR4mhavgQUgCeN6RXgSirL91KaP4Uy/5cETkg
imkAn1P6vRIIeAsiEuB6WWw/jty2igW+
=1rTn
-----END PGP SIGNATURE-----
More information about the Opendnssec-user
mailing list