[Opendnssec-user] DNSKEY set signed with KSK in retire state.

Paul Wouters paul at nohats.ca
Tue Nov 24 00:07:41 UTC 2015

On Thu, 19 Nov 2015, Rick van Rein wrote:

>> When using OpenDNSSEC,   I see that DNSKEY sets are signed with keys
>> that are in the retire state.
>> Why does this happen ?
> Even if OpenDNSSEC is aware that a key is to be retired, it doesn't mean that the rest of the World knows; DNS caches may still have the key loaded as a trusted validator, and want to be able to validate the zone based on it.

doesn't it work the other way around. If you get an RRSIG with a
different keyid, you re-fetch the DNSKEY RRset?

I would think perhaps those RRSIGs didn't reach their renewal time
yet, and only when those RRsets are resigned is the new key used?


More information about the Opendnssec-user mailing list