03.04.2014 12:12, Siôn Lloyd kirjoitti: > One thing first; even a static zone is being resigned and published on > the timescales defined by your signature Resign and Refresh parameters.
There are cases where the Resign-interval is set to basically infinite so that the zone signing process in only triggered by the update from the zone provisioning system. I guess at least some TLD zones are operated this way. > So even if the system which creates the unsigned zones breaks a key > rollover can happily progress. This is exactly where the problem lies in case the zone provisioning system is down. Enforcerd "happily" completes the key rollover although actually the zone has not been signed in between. But anyway, this marginal issue can be more or less mitigated by setting the PublishSafety interval to long enough, as already stated. Antti _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
