On 1/31/26 00:52, Bagas Sanjaya wrote:
On Thu, Jan 29, 2026 at 03:19:24PM +0100, Matthijs Mekking wrote:
Hello,
For users interested in offline KSK, introduced in 9.20.2, we have just
published a Knowledgebase article on this feature that might be worth a
read.
If you have any questions or remarks about it, feel free to reach out.
The article mentions that the KSR is for 7 months and ZSK lifetime is 6 months,
which means that there is one month of window to generate new KSR. On ZSK
rollover during that window, does it imply that when new SKR (from such new
KSR) is loaded, we end up with two ZSKs?
If you generate a KSR and SKR when there is a ZSK rollover in progress,
there will be two ZSKs indeed.
Each key has timing metadata that indicates what time the key should be
published and removed that is set when you generate the keys with
"dnssec-ksr keygen".
I hope this helps clearing up the confusion.
Best regards,
Matthijs
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
