[Opendnssec-user] rollover started automatically when ManualRollover set

Yuri Schaeffer yuri at nlnetlabs.nl
Mon Jul 31 09:39:30 UTC 2017

Hi Emil,

I have some clarifications.

> There are no signatures created/remaining in the signed zone with the
> retired key and it's completely redundant it's kept in the zonefile for
> so long.

I'm not sure about the order of events in your zone, you might have done
some manual clean or resigns? But it general it isn't redundant at all
for the old ZSK to be published for some time. Where it not for caching
in DNS, DNSSEC would be much simpler. The old ZSK needs to be published
as long as some resolvers still have data cached signed by the old key.

> example.com <http://example.com>                          ZSK          
> retire    2017-08-23 13:50:48 (dead)     2048    8          

Here we see that the retire state of the key lasts for 1 month. This is
because your signature validity is 31 days.

Also, the way OpenDNSSEC 1.4 works is that when it changes the state of
a key it will calculate the time of the next state change and save it in
the database. Changing the KASP does not affect currently set times.

Note: ODS 2.1 is more flexible in this regard.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20170731/66f11713/attachment.bin>

More information about the Opendnssec-user mailing list