[Opendnssec-user] Zone signed by key in retire state

Arun Natarajan arun at arunns.com
Tue Sep 27 15:13:44 UTC 2016

Thanks Yuri,

> OpenDNSSEC tries to keep signatures in the zone as long as they are
> valid. Only when a signature expires and thus needs a resign, the
> signature is generated with the new ZSK.
> You'll notice that some signatures are generated with the new ZSK and
> some with the old ZSK. The signature validity is configurable in the
> KASP. During that time both ZSKs have their DNSKEY record published in
> the zone.
My understanding was, it create new signatures with the new key once the
keys is rolled.

> > I guess if we clear the ods and run signer again it will work, but
> > wondering why it does not happen automatically?
> It would work, but it is probably not what you want.

Yeah, probably not a good idea. Might be useful in emergency roll over


> Regards,
> Yuri
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160927/cd217639/attachment.htm>

More information about the Opendnssec-user mailing list