[Opendnssec-user] DNSKEY set signed with KSK in retire state.
Maurice
maurice at info.nl
Thu Nov 19 11:04:32 UTC 2015
Hello,
When using OpenDNSSEC, I see that DNSKEY sets are signed with KSK`s
that are in the retire state.
Why does this happen ? I would expect that only keys in the active or
ready state would be used for signing the DNSKEY set. In a test zone
where I have 3 KSK`s; one in the ready, one in the active, and one in
the retire state. I see that all 3 KSK are used to generate a signature,
so there are now 3 DNSKEY RRSIG`s in my zonefile.
With kind regards,
--
Maurice Mahieu
System Engineer | maurice at info.nl <mailto:maurice at info.nl> | +31 (0)20
53 09 111 <tel:+31205309111>
info.nl <http://www.info.nl> /making platforms work/
<http://www.info.nl/nl?utm_source=e-mail_sig&utm_medium=e-mail&utm_term=connecting_the_dots&utm_campaign=info_sig>
Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 91 00
<tel:+31205309100>
Facebook <https://www.facebook.com/infonl> | Twitter
<https://twitter.com/infonl> | LinkedIn
<https://www.linkedin.com/company/info.nl> | Google+
<https://plus.google.com/+infonl/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20151119/62d6356a/attachment.htm>
More information about the Opendnssec-user
mailing list