[Opendnssec-user] DNSKEY set signed with KSK in retire state.

Matthijs Mekking matthijs at pletterpet.nl
Tue Nov 24 08:20:23 UTC 2015

On 24-11-15 01:07, Paul Wouters wrote:
> On Thu, 19 Nov 2015, Rick van Rein wrote:
>>> When using OpenDNSSEC,   I see that DNSKEY sets are signed with keys
>>> that are in the retire state.
>>> Why does this happen ?
>> Even if OpenDNSSEC is aware that a key is to be retired, it doesn't
>> mean that the rest of the World knows; DNS caches may still have the
>> key loaded as a trusted validator, and want to be able to validate the
>> zone based on it.
> doesn't it work the other way around. If you get an RRSIG with a
> different keyid, you re-fetch the DNSKEY RRset?

A signer should accommodate for the case that the new DS has been
published, but not all validators are aware of that (because of caches).

The situation is as follows:
1. Validator has old DS cached, validator has DNSKEY not cached.
2. Validator fetches DNSKEY RRset, needs to authenticate it.
3. Validator needs RRSIG from DNSKEY corresponding to old DS to
authenticate the referral [RFC4035, Section 5.2, bullet 3].

It may be that a validator just re-fetches the DNSKEY RRset if this
fails, but it is not required according to the specification.

> I would think perhaps those RRSIGs didn't reach their renewal time
> yet, and only when those RRsets are resigned is the new key used?

That is the case with ZSK, not KSK.

Best regards,

> Paul
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list