[Opendnssec-user] DNSKEY set signed with KSK in retire state.
maurice at info.nl
Thu Nov 19 11:04:32 UTC 2015
When using OpenDNSSEC, I see that DNSKEY sets are signed with KSK`s
that are in the retire state.
Why does this happen ? I would expect that only keys in the active or
ready state would be used for signing the DNSKEY set. In a test zone
where I have 3 KSK`s; one in the ready, one in the active, and one in
the retire state. I see that all 3 KSK are used to generate a signature,
so there are now 3 DNSKEY RRSIG`s in my zonefile.
With kind regards,
System Engineer | maurice at info.nl <mailto:maurice at info.nl> | +31 (0)20
53 09 111 <tel:+31205309111>
info.nl <http://www.info.nl> /making platforms work/
Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 91 00
Facebook <https://www.facebook.com/infonl> | Twitter
<https://twitter.com/infonl> | LinkedIn
<https://www.linkedin.com/company/info.nl> | Google+
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Opendnssec-user