[Opendnssec-user] DNSKEY set signed with KSK in retire state.
Rick van Rein
rick at openfortress.nl
Thu Nov 19 12:28:19 UTC 2015
Hi Maurice,
> When using OpenDNSSEC, I see that DNSKEY sets are signed with keys
> that are in the retire state.
> Why does this happen ?
Even if OpenDNSSEC is aware that a key is to be retired, it doesn't mean that the rest of the World knows; DNS caches may still have the key loaded as a trusted validator, and want to be able to validate the zone based on it.
-Rick
More information about the Opendnssec-user
mailing list