-
Type:
Bug
-
Status: Open
-
Priority:
Minor
-
Resolution: Unresolved
-
Affects Version/s: 2.1.6
-
Fix Version/s: None
-
Component/s: Signer
-
Labels:None
I started off with these parameters:
<Refresh>P56D</Refresh> <Validity><Default>P63D</Default><Denial>P63D</Denial></Validity>
I then changed to these parameters:
<Refresh>P24D</Refresh> <Validity><Default>P30D</Default><Denial>P30D</Denial></Validity>
The result is that I now have some in-progress ZSK rollovers where only the SOA is being signed with the correct ZSK and older records still have signatures from multiple older ZSKs. I'm doing a KSK algorithm change so at one point there were 8 DNSKEYs on a zone.
I can't increase the Refresh time to force it to resign the older signatures and I can't set the Refresh time to 0 (as documented by https://wiki.opendnssec.org/display/DOCS/kasp.xml) because neither of those time configurations is allowed.
The check on whether signatures need to be refreshed should be ignored when doing a key rollover if the signatures were made with the old key.
The check on whether signatures need to be refreshed should also consider the hypothetical scenario of whether the signature would be refreshed if it had been created with the current configuration (at the time it was originally created), or if it has a validity period different from the configured validity period.