Skip to content

Expired zone signatures are not replaced with KSK signatures

We fixed #763 (closed) to make sure not to sign the DNSKEY RRset with the ZSK if the KSK was offline (even if the signatures were expired).

The change caused the definition of "having both keys": if one key is offline, we still consider having both keys, so we don't fallback signing with the ZSK if KSK is offline.

That change also works the other way, if the ZSK is offline, we don't fallback signing with the KSK. But in this case the fallback could actually help preventing the zone from going bogus.

Update the fix for #763 (closed) to allow fallback of signing zone RRsets with the KSK in case the ZSK is offline.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information