On 27/08/12 07:01, Áõ˶ wrote:
Hi,
I'm testing KSK rollover, when the newly created KSK is set active by
ds-seen, the old KSK became retired, but the DNSKEY is still signed by
the old KSK after resigning , the new KSK is not used at all. I used
to think there should be two RRSIG DNSKEYs because of Double Signing.
When will the new KSK be used for signing? When will the old KSK get
deleted? The DS is valid in parent zone now, but I can not delete the
old DS because new KSK is not used by ods-signer.
Hi Stuart.
Is it possible that something is preventing the signconf xml file from
being written? If this is the case then the signer will not change the
keys it uses.
Sion
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
