Hi,
I'm testing KSK rollover, when the newly created KSK is set active by ds-seen,
the old KSK became retired, but the DNSKEY is still signed by the old KSK after
resigning , the new KSK is not used at all. I used to think there should be two
RRSIG DNSKEYs because of Double Signing. When will the new KSK be used for
signing? When will the old KSK get deleted? The DS is valid in parent zone now,
but I can not delete the old DS because new KSK is not used by ods-signer.
Best regards,
Stuart
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
