[Opendnssec-user] DNSKEY set signed with KSK in retire state.

Maurice maurice at info.nl
Thu Nov 19 11:04:32 UTC 2015


When using OpenDNSSEC,  I see that DNSKEY sets are signed with KSK`s  
that are in the retire state.
Why does this happen ? I would expect that only keys in the active or 
ready state would be used for signing the DNSKEY set. In a test zone 
where I have 3 KSK`s;  one in the ready, one in the active, and one in 
the retire state. I see that all 3 KSK are used to generate a signature, 
so there are now 3 DNSKEY RRSIG`s in my zonefile.

With kind regards,

Maurice Mahieu
System Engineer  | maurice at info.nl <mailto:maurice at info.nl>  | +31 (0)20 
53 09 111 <tel:+31205309111>
info.nl <http://www.info.nl> /making platforms work/ 

Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  | +31 (0)20 530 91 00 
Facebook <https://www.facebook.com/infonl> | Twitter 
<https://twitter.com/infonl> | LinkedIn 
<https://www.linkedin.com/company/info.nl> | Google+ 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20151119/62d6356a/attachment.htm>

More information about the Opendnssec-user mailing list