[Opendnssec-user] DNSKEY set signed with KSK in retire state.
Paul Wouters
paul at nohats.ca
Tue Nov 24 00:07:41 UTC 2015
On Thu, 19 Nov 2015, Rick van Rein wrote:
>> When using OpenDNSSEC, I see that DNSKEY sets are signed with keys
>> that are in the retire state.
>> Why does this happen ?
>
> Even if OpenDNSSEC is aware that a key is to be retired, it doesn't mean that the rest of the World knows; DNS caches may still have the key loaded as a trusted validator, and want to be able to validate the zone based on it.
doesn't it work the other way around. If you get an RRSIG with a
different keyid, you re-fetch the DNSKEY RRset?
I would think perhaps those RRSIGs didn't reach their renewal time
yet, and only when those RRsets are resigned is the new key used?
Paul
More information about the Opendnssec-user
mailing list