Skip to content

GitLab

  • Menu
Projects Groups Snippets
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Planning hierarchy
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 532
    • Issues 532
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 100
    • Merge requests 100
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source Projects
  • BINDBIND
  • Issues
  • #3049

Closed
Open
Created Dec 07, 2021 by Matthijs Mekking@matthijs🏡Owner

Expired zone signatures are not replaced with KSK signatures

We fixed #763 (closed) to make sure not to sign the DNSKEY RRset with the ZSK if the KSK was offline (even if the signatures were expired).

The change caused the definition of "having both keys": if one key is offline, we still consider having both keys, so we don't fallback signing with the ZSK if KSK is offline.

That change also works the other way, if the ZSK is offline, we don't fallback signing with the KSK. But in this case the fallback could actually help preventing the zone from going bogus.

Update the fix for #763 (closed) to allow fallback of signing zone RRsets with the KSK in case the ZSK is offline.

Assignee
Assign to
Time tracking