Hi, It seems that the ods-auditor doesn't deal perfectly with the current (version 1.1.0) KSK rollover logic. When the KSK rollover is being initiated (that is, a new KSK is introduced in the zone and used to sign the DNSKEY RRset) and when the zone is signed for the next time, the auditor complains:
ods-auditor[3894]: Key (32345) has gone straight to active use without a prepublished phase The auditor seems to expect that a new key is always prepublished, as is done with ZSK rollovers. When the zone is signed for the second time after KSK rollover initiation, the auditor passes normally. So, currently we will miss one zone update round when KSK is rolled and the auditor is used. This is not a major issue, but not a desired behaviour, either. Regards, Antti _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
