[Opendnssec-user] DNSKEY set signed with KSK in retire state.

Maurice maurice at info.nl
Thu Nov 19 13:40:29 UTC 2015

Hi Rick,

I understand that the KSK  stays a while in the zone file so that key 
sets signed with this key can expire from caches. But why is the KSK in 
retired state still used to sign  the  DNSKEY set ? Looking further in 
to it I also see that KSK`s in the publish state produce RRSIGS for the 
Problably this is by design. For ZSK`s only the one in the ready state 
is used for signing. But probably all the KSK`s, independently of state, 
produce a DNSKEY RRSIG.


On 11/19/2015 01:28 PM, Rick van Rein wrote:
> Hi Maurice,
>> When using OpenDNSSEC,   I see that DNSKEY sets are signed with keys
>> that are in the retire state.
>> Why does this happen ?
> Even if OpenDNSSEC is aware that a key is to be retired, it doesn't mean that the rest of the World knows; DNS caches may still have the key loaded as a trusted validator, and want to be able to validate the zone based on it.
> -Rick

Maurice Mahieu
System Engineer  | maurice at info.nl <mailto:maurice at info.nl>  | +31 (0)20 
53 09 111 <tel:+31205309111>
info.nl <http://www.info.nl> /making platforms work/ 

Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  | +31 (0)20 530 91 00 
Facebook <https://www.facebook.com/infonl> | Twitter 
<https://twitter.com/infonl> | LinkedIn 
<https://www.linkedin.com/company/info.nl> | Google+ 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20151119/350aee2b/attachment.htm>

More information about the Opendnssec-user mailing list