Hi Christoph, Firstly I should say that the current key will not be retired until you say that the new key has appeared in the DNS... I.e. it will live on past retirement while no key is in place to take over.
That new key must have been published at some point, but I can't tell when from your email. Are you giving the enforcer time to run with the changed dates before you run the key list command? Finally, where do you get your 10 day timer from? Sion On 15/07/14 15:26, [email protected] wrote: > > Hi, > > > > I'm playing around with opendnssec. I added a zone to openddnssec and > it was signed. > > Then I changed the date of the Server to (12.07.2015) a few dates > before the KSK retires. > > > > In the log file: > > Rollover of KSK expected at 2015-07-15 18:20:53 for vtg.at > > > > Also when I print the current keys: > > vtg.at KSK active 2015-07-15 > 18:20:53 (retire) > > > > Then I changed the date to 2015-07-16. Suddenly a second KSK was here. > > vtg.at KSK ready waiting for > ds-seen (active) 2048 > > > > Why was the key not generated before the retire? I want that the key > gets generated 10 days before he expires. > > Otherwise the chain of trust is broken. > > > > Can anybody help me? > > > > Best regards, > > Christoph > > > > > > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
