Hi Rick,
I understand that the KSK stays a while in the zone file so that key
sets signed with this key can expire from caches. But why is the KSK in
retired state still used to sign the DNSKEY set ? Looking further in
to it I also see that KSK`s in the publish state produce RRSIGS for the
Keyset.
Problably this is by design. For ZSK`s only the one in the ready state
is used for signing. But probably all the KSK`s, independently of state,
produce a DNSKEY RRSIG.
Maurice
On 11/19/2015 01:28 PM, Rick van Rein wrote:
Hi Maurice,
When using OpenDNSSEC, I see that DNSKEY sets are signed with keys
that are in the retire state.
Why does this happen ?
Even if OpenDNSSEC is aware that a key is to be retired, it doesn't mean that
the rest of the World knows; DNS caches may still have the key loaded as a
trusted validator, and want to be able to validate the zone based on it.
-Rick
--
Maurice Mahieu
System Engineer | [email protected] <mailto:[email protected]> | +31 (0)20
53 09 111 <tel:+31205309111>
info.nl <http://www.info.nl> /making platforms work/
<http://www.info.nl/nl?utm_source=e-mail_sig&utm_medium=e-mail&utm_term=connecting_the_dots&utm_campaign=info_sig>
Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 91 00
<tel:+31205309100>
Facebook <https://www.facebook.com/infonl> | Twitter
<https://twitter.com/infonl> | LinkedIn
<https://www.linkedin.com/company/info.nl> | Google+
<https://plus.google.com/+infonl/>
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
