[Opendnssec-user] Key States after migrating from 1.4.10 to 2.1.0

Yuri Schaeffer yuri at nlnetlabs.nl
Fri Apr 21 12:44:47 UTC 2017


> So I have an extra KSK in state rumoured with no key roll scheduled but active
> in the zone. Is this to be expected?

My guess is that your KASP states manual rollover for KSK. Therefore it
plans no future roll overs.

The extra key is then either because you gave a manual rollover command
or -this is likely the case- a standby key that your 1.4 installation
used. 2.x doesn't have/need the concept of standby keys, as it will be
able to roll to a new key /any/ time. Since it doesn't have this concept
it just 'rolls' with it.

I advice the execute a rollover command for that zone for KSK. The
current 2 keys will then be replaced by one new KSK. The extraneous KSK
should go away quite fast since it doesn't have its DS uploaded yet.

//Yuri


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20170421/7f10fc9f/attachment.bin>


More information about the Opendnssec-user mailing list