Hi Emil, I have some clarifications.
> There are no signatures created/remaining in the signed zone with the > retired key and it's completely redundant it's kept in the zonefile for > so long. I'm not sure about the order of events in your zone, you might have done some manual clean or resigns? But it general it isn't redundant at all for the old ZSK to be published for some time. Where it not for caching in DNS, DNSSEC would be much simpler. The old ZSK needs to be published as long as some resolvers still have data cached signed by the old key. > example.com <http://example.com> ZSK > retire 2017-08-23 13:50:48 (dead) 2048 8 Here we see that the retire state of the key lasts for 1 month. This is because your signature validity is 31 days. Also, the way OpenDNSSEC 1.4 works is that when it changes the state of a key it will calculate the time of the next state change and save it in the database. Changing the KASP does not affect currently set times. Note: ODS 2.1 is more flexible in this regard. //Yuri
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
