[Opendnssec-user] DNSKEY set signed with KSK in retire state.
maurice at info.nl
Thu Nov 19 13:40:29 UTC 2015
I understand that the KSK stays a while in the zone file so that key
sets signed with this key can expire from caches. But why is the KSK in
retired state still used to sign the DNSKEY set ? Looking further in
to it I also see that KSK`s in the publish state produce RRSIGS for the
Problably this is by design. For ZSK`s only the one in the ready state
is used for signing. But probably all the KSK`s, independently of state,
produce a DNSKEY RRSIG.
On 11/19/2015 01:28 PM, Rick van Rein wrote:
> Hi Maurice,
>> When using OpenDNSSEC, I see that DNSKEY sets are signed with keys
>> that are in the retire state.
>> Why does this happen ?
> Even if OpenDNSSEC is aware that a key is to be retired, it doesn't mean that the rest of the World knows; DNS caches may still have the key loaded as a trusted validator, and want to be able to validate the zone based on it.
System Engineer | maurice at info.nl <mailto:maurice at info.nl> | +31 (0)20
53 09 111 <tel:+31205309111>
info.nl <http://www.info.nl> /making platforms work/
Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 91 00
Facebook <https://www.facebook.com/infonl> | Twitter
<https://twitter.com/infonl> | LinkedIn
<https://www.linkedin.com/company/info.nl> | Google+
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Opendnssec-user