Thanks Yuri,
> OpenDNSSEC tries to keep signatures in the zone as long as they are > valid. Only when a signature expires and thus needs a resign, the > signature is generated with the new ZSK. > > You'll notice that some signatures are generated with the new ZSK and > some with the old ZSK. The signature validity is configurable in the > KASP. During that time both ZSKs have their DNSKEY record published in > the zone. > > My understanding was, it create new signatures with the new key once the keys is rolled. > > I guess if we clear the ods and run signer again it will work, but > > wondering why it does not happen automatically? > > It would work, but it is probably not what you want. > Yeah, probably not a good idea. Might be useful in emergency roll over though. -- arun > > Regards, > Yuri > > > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > >
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
