Hi Nick,
The timings are based on what is configured in the dnssec-policy: It is
too costly to observe the zone every time to see if there is still a
signature of the predecessor key. So yes: it takes the maximum possible
time to determine when all signatures have been replaced.
This time
On 03/10/2023 09:59, Eddie Rowe wrote:
I appreciate the feedback. I did make sure the ZSK is omnipresent and the
issue still happens so it might be that my attempt to take the default
policy
and bring it down to 1 day to hurry along testing. I will see if I
can find
any test policies in the
2 matches
Mail list logo
