[Opendnssec-user] Manual ZSK key rollover timings
Artur
ods at pydo.org
Mon Sep 15 13:24:01 UTC 2025
Hello,
I'm experimenting the manual keys rollover, KSK and ZSK.
KSK rollover went fine and it has been done in 48 hours.
The ZSK rollover takes longer and I wonder if everything goes fine.
After about 48 hours the old ZSK key is in 'retire' state while the new
one is in 'ready' state.
$ sudo ods-enforcer key list --zone pydo.fr
Keys:
Zone: Keytype: State: Date of next transition:
pydo.fr KSK retire 2025-09-27 08:51:08
pydo.fr ZSK retire 2025-09-27 08:51:08
pydo.fr KSK active 2025-09-27 08:51:08
pydo.fr ZSK ready 2025-09-27 08:51:08
The new ZSK key signs only SOA while the old one signs all other records
(AAAA, NSEC3PARAM, NS, MX, A, TXT).
The only records difference I can see is that SOA TTL is 3600s while the
others are at 86000s.
Is it OK to see the 'ready' state on new ZSK instead of 'active' state
and no signature on ALL the records ?
If needed, I can provide all the configuration files and DNSVIZ graphics
if it is OK to send it to the mailing list.
Thank you for your help.
--
Best regards,
Artur
More information about the Opendnssec-user
mailing list