Hi Arun, > We have opendnssec setup to rollover ZSK every 3 months. And in the ODS > database it happened as expected , a new key was in PUBLISH state and > later on to ACTIVE. The old key was moved to retire state. But still, I > see the zone file is signed with the old key (currently in RETIRE > state). Any ideas?
OpenDNSSEC tries to keep signatures in the zone as long as they are valid. Only when a signature expires and thus needs a resign, the signature is generated with the new ZSK. You'll notice that some signatures are generated with the new ZSK and some with the old ZSK. The signature validity is configurable in the KASP. During that time both ZSKs have their DNSKEY record published in the zone. > I guess if we clear the ods and run signer again it will work, but > wondering why it does not happen automatically? It would work, but it is probably not what you want. Regards, Yuri
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
