Maintained by: NLnet Labs

RFC5011 : 30days add-holddown timer

W.C.A. Wijngaards
Mon Aug 21 11:48:16 CEST 2017

Hi Daisuke HIGASHI,

Yes that is a bug, it should not be in ADDPEND but in VALID.  This was
caused by unbound checking the signature as well as the DS hash for the
installed keys.  I have patched this and a new version is released
(1.6.5) for this fix.

Best regards, Wouter

On 16/08/17 18:46, Daisuke HIGASHI via Unbound-users wrote:
> Hi,
>   In the moment unbound-anchor(8) creates root,key file that contains
> new KSK trust anchor as ADDPEND state. Does it take 30 days to update
> new key’s state to VALID ?
> (If so, new Unbound installation after 11 Sep (30days to the KSK roll)
> fail to update trusted sets until KSK roll?)
> Regards,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>