On 23/07/12 07:40, Jerry Lundström wrote:
Hi Fred,
On Fri, Jul 20, 2012 at 1:19 PM, Fred Zwarts (KVI) <[email protected]> wrote:
What does that mean exactly? Will OpenDNSSEC continue to sign the zone with
the old key until the backup notification is done, or will it stop signing
the zone, because the old key is retiring and the new key is not yet ready?
For what I know, if the Signer have received a key to sign the zone
with it will continue to do that. Key management is handled by the
Enforcer and it will not use a new key until you back it up if that
repository is marked with RequireBackup.
This is correct, the old key will remain in use until the new key is
considered safe to use, i.e. it has been marked as backed up.
If you use the auditor it will start complaining that a key has been in
use for longer than your policy allows, this will just be a warning
however and should not stop zone publication.
Sion
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
