[Opendnssec-user] Zone signed by key in retire state

Yuri Schaeffer yuri at nlnetlabs.nl
Tue Sep 27 15:03:17 UTC 2016

Hi Arun,

>  We have opendnssec setup to rollover ZSK every 3 months. And in the ODS
> database it happened as expected , a new key was in PUBLISH state and
> later on to ACTIVE. The old key was moved to retire state. But still, I
> see the zone file is signed with the old key (currently in RETIRE
> state). Any ideas?

OpenDNSSEC tries to keep signatures in the zone as long as they are
valid. Only when a signature expires and thus needs a resign, the
signature is generated with the new ZSK.

You'll notice that some signatures are generated with the new ZSK and
some with the old ZSK. The signature validity is configurable in the
KASP. During that time both ZSKs have their DNSKEY record published in
the zone.

> I guess if we clear the ods and run signer again it will work, but
> wondering why it does not happen automatically?

It would work, but it is probably not what you want.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160927/3d33bb15/attachment.bin>

More information about the Opendnssec-user mailing list