[Opendnssec-user] DNSKEY set signed with KSK in retire state.

Rick van Rein rick at openfortress.nl
Thu Nov 19 12:28:19 UTC 2015

Hi Maurice,

> When using OpenDNSSEC,   I see that DNSKEY sets are signed with keys
> that are in the retire state.
> Why does this happen ?

Even if OpenDNSSEC is aware that a key is to be retired, it doesn't mean that the rest of the World knows; DNS caches may still have the key loaded as a trusted validator, and want to be able to validate the zone based on it.


More information about the Opendnssec-user mailing list