Hi Jake, With your key and signing policy (KASP) you should be able to determine when the key will actually be used for signing. OpenDNSSEC implements 'smooth' ZSK rollover, meaning that if the signatures of the predecessor are still fresh, they won't be replaced yet, even if the predecessor is retired and the new key is active.
Looking at the default KASP, the validity is 14 days, and refresh is 3 days. Ignoring the jitter for now, it may take at most around 11 days before all predecessor signatures are replaced with a new one, from 7645. So depending on how your RRSIG expiration timers are spread, it could take some time before the new key has actually generated a signature. Best regards, Matthijs On 11/06/2012 04:17 PM, elsif wrote: > SQLite database set to: /var/opendnssec/kasp.db > Keys: > Zone: Keytype: State: Date of next > transition (to): Size: Algorithm: CKA_ID: Repository: > Keytag: > <snip> KSK ready waiting for > ds-seen (active) 2048 8 4e73113d40c313a459d91ba0efe4b7c7 > AEP 58156 > <snip> ZSK retire 2012-11-13 > 05:47:10 (dead) 1024 8 8b28e3a000a937d4c4e4e33774e35c3a > AEP 19855 > <snip> ZSK active 2012-12-05 > 16:47:10 (retire) 1024 8 07b751af4606264c62767c6894f41e3f > AEP 7645 > > Yesterday the ZSK rollover occurred. 19855 moved to "retire", "7645" > was selected as the next key and made "active". > > ODS hasn't used the new "7645" key yet. It's been 14 hours, 14 signings. > > I nuked the old signed zone thinking that perhaps it was re-using old > signatures and hadn't required signing with the new key yet, but that's > had no effect. > > So...when exactly is ODS supposed to start mentioning the "active" key > in the zone? > > -jake > > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
