Hi, ----- Original Message ----- > From: "Maurice" <[email protected]> > To: "Rick van Rein" <[email protected]> > Cc: [email protected] > Sent: Thursday, 19 November, 2015 15:40:29 > Subject: Re: [Opendnssec-user] DNSKEY set signed with KSK in retire state.
> Hi Rick, > I understand that the KSK stays a while in the zone file so that key sets > signed > with this key can expire from caches. But why is the KSK in retired state > still > used to sign the DNSKEY set ? Looking further in to it I also see that KSK`s > in > the publish state produce RRSIGS for the Keyset. > Problably this is by design. For ZSK`s only the one in the ready state is used > for signing. But probably all the KSK`s, independently of state, produce a > DNSKEY RRSIG. An RRset and its RRSIG propagate as an atomic entry in DNS caches and for DNSKEY RRset this means that a newly introduced KSK and the corresponding RRSIG will find their way into resolver caches at the same time. As such there is no need to pre-publish a new KSK DNSKEY until it can be used to sign the DNSKEY RRset. For ZSK this is not true for obvious reasons. Regarding the retired KSK, the DNSKEY RRset must be signed with it as long as the old DS record corresponding to the retired KSK can be still present in caches. Antti _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
