[Opendnssec-user] Zone signed by key in retire state
arun at arunns.com
Tue Sep 27 15:13:44 UTC 2016
> OpenDNSSEC tries to keep signatures in the zone as long as they are
> valid. Only when a signature expires and thus needs a resign, the
> signature is generated with the new ZSK.
> You'll notice that some signatures are generated with the new ZSK and
> some with the old ZSK. The signature validity is configurable in the
> KASP. During that time both ZSKs have their DNSKEY record published in
> the zone.
My understanding was, it create new signatures with the new key once the
keys is rolled.
> > I guess if we clear the ods and run signer again it will work, but
> > wondering why it does not happen automatically?
> It would work, but it is probably not what you want.
Yeah, probably not a good idea. Might be useful in emergency roll over
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Opendnssec-user