Hi Maurice, > When using OpenDNSSEC, I see that DNSKEY sets are signed with keys > that are in the retire state. > Why does this happen ?
Even if OpenDNSSEC is aware that a key is to be retired, it doesn't mean that the rest of the World knows; DNS caches may still have the key loaded as a trusted validator, and want to be able to validate the zone based on it. -Rick _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
