[Opendnssec-user] About the lifetime for ZSK
yuri at nlnetlabs.nl
Tue Dec 1 13:33:07 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
> A key in 'retire' status seems to still being used to sign new RR.
> But the 'active' key was not used to generate signature of RR. Does
> it mean the OPENDNSSEC was working abnormally?
That indeed seems abnormal. My guess is that -for whatever reason- the
signer did not pick up the changes signer configuration output by the
Does "ods-signer update testzone17" help?
Then add a new record and check with which key it was signed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the Opendnssec-user