On Thu, 19 Nov 2015, Rick van Rein wrote:
When using OpenDNSSEC, I see that DNSKEY sets are signed with keys
that are in the retire state.
Why does this happen ?
Even if OpenDNSSEC is aware that a key is to be retired, it doesn't mean that
the rest of the World knows; DNS caches may still have the key loaded as a
trusted validator, and want to be able to validate the zone based on it.
doesn't it work the other way around. If you get an RRSIG with a
different keyid, you re-fetch the DNSKEY RRset?
I would think perhaps those RRSIGs didn't reach their renewal time
yet, and only when those RRsets are resigned is the new key used?
Paul
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
