[Opendnssec-user] Zone signed by key in retire state
Arun Natarajan
arun at arunns.com
Tue Sep 27 15:13:44 UTC 2016
Thanks Yuri,
> OpenDNSSEC tries to keep signatures in the zone as long as they are
> valid. Only when a signature expires and thus needs a resign, the
> signature is generated with the new ZSK.
>
> You'll notice that some signatures are generated with the new ZSK and
> some with the old ZSK. The signature validity is configurable in the
> KASP. During that time both ZSKs have their DNSKEY record published in
> the zone.
>
>
My understanding was, it create new signatures with the new key once the
keys is rolled.
> > I guess if we clear the ods and run signer again it will work, but
> > wondering why it does not happen automatically?
>
> It would work, but it is probably not what you want.
>
Yeah, probably not a good idea. Might be useful in emergency roll over
though.
--
arun
>
> Regards,
> Yuri
>
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160927/cd217639/attachment.htm>
More information about the Opendnssec-user
mailing list