<div dir="ltr">Thanks Sion,<br><br>The information was very useful for my ;-)<br><br>However, something strange is happening with the rollover times:<br><br><br>KSK           active    2014-05-20 17:05:53 (retire)<br>KSK           publish   2014-05-19 10:47:20 (ready)<br>
<br>ZSK           retire    2014-05-18 16:02:20 (dead)<br>ZSK           active    2014-05-16 11:18:26 (retire)<br>ZSK           publish   2014-05-18 19:14:46 (ready)<br><br><br>ZSK active key goes to "retire" status before the new  ZSK key changes to "ready" status…<br>
<br>Something similar happens with the KSK key.<br><br>I think the current active key must continue as "active" till the next key can be "ready" ... Is that correct? <br><br>Why these inconsistencies appear?<br>
<br>I tried that new keys to be published several days before the rollover takes place. The only way (I have found) to achieve that is by modifying "PropagationDelay" parameter of the "zone" section for the ZSK and the "Parent" for the KSK key.<br>
<br>Is it correct? Does exists any other way to do that?<br><br>Thank you very much</div><div class="gmail_extra"><br><br><div class="gmail_quote">2014-05-14 14:57 GMT+02:00 Sion Lloyd <span dir="ltr"><<a href="mailto:sion@nominet.org.uk" target="_blank">sion@nominet.org.uk</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">




<div>
<div style="direction:ltr;font-family:Tahoma;color:#000000;font-size:10pt">To paraphrase the key timings draft:<br>
<br>
     * A key in the "publish" state moves into the "ready" state when it has<br>
     * been published for at least:<br>
     *<br>
     *      Ipc = TTLkeyc + Dpc +Sp<br>
     *<br>
     * ... where:<br>
     *<br>
     *      TTLkeyc  = TTL of the ZSK DNSKEY record<br>
     *      Dpc      = Propagation delay<br>
     *      Sp       = Publish Safety Margin<br>
     *<br>
<br>
OpenDNSSEC will attempt to publish a key at least this far ahead of the previous ZSK's retire time. It is slightly complicated by the run interval of the enforcer, so might be a bit earlier.<br>
<br>
Generation may be as required (i.e. it will be generated and published at the same time) or you may generate a whole batch of keys ahead of schedule.<br>
<br>
Sion<br>
<br>
<div style="font-family:Times New Roman;color:#000000;font-size:16px">
<hr>
<div style="direction:ltr"><font color="#000000" face="Tahoma"><b>From:</b> <a href="mailto:opendnssec-user-bounces@lists.opendnssec.org" target="_blank">opendnssec-user-bounces@lists.opendnssec.org</a> [<a href="mailto:opendnssec-user-bounces@lists.opendnssec.org" target="_blank">opendnssec-user-bounces@lists.opendnssec.org</a>] on behalf of Javier Jiménez Huedo [<a href="mailto:bodegax@gmail.com" target="_blank">bodegax@gmail.com</a>]<br>

<b>Sent:</b> 13 May 2014 13:18<br>
<b>To:</b> <a href="mailto:opendnssec-user@lists.opendnssec.org" target="_blank">opendnssec-user@lists.opendnssec.org</a><br>
<b>Subject:</b> [Opendnssec-user] How to calc new ZSK / KSK and pre-publish date<br>
</font><br>
</div><div><div class="h5">
<div></div>
<div>
<div dir="ltr">Dear OpenDNSSEC users,<br>
<div><br>
I am confused about the following behavior of openDNSSEC:<br>
<br>
I have the following ZSK active key:<br>
<br>
Key type     State:   Next transition:<br>
 ZSK           active    2014-05-19 16:02:20 (retire) <br>
<br>
<div>KSK Lifetime P20D<br>
</div>
ZSK LifeTime P10D<br>
<br>
<br>
</div>
<div><span lang="en"><span>How</span> <span>
I can</span> <span>calculate the date</span> <span>of</span> <span>
generation of the</span> <span>next</span> <span>ZSK</span> <span>
key</span><span>?</span> <br>
<span>How</span> <span>I can</span> <span>calculate the date</span>
<span>of</span> <span>pre</span><span>-publication</span>
<span>next</span> <span>ZSK</span> <span>key</span><span>?</span></span></div>
<div><br>
Kasp.xml:<br>
<br>
<Signatures><br>
               <Resign>PT5H</Resign><br>
               <Refresh>P2D</Refresh><br>
               <Validity> <br>
                               <Default>P5D</Default><br>
                               <Denial>P5D</Denial><br>
               </Validity><br>
               <InceptionOffset>PT3600S</InceptionOffset><br>
...<br>
<Signatures><br>
<br>
<br>
<keys><br>
                <TTL>PT3600S</TTL><br>
                <PublishSafety>PT1H</PublishSafety> <br>
...<br>
</div>
</keys><br>
<div><Zone><br>
                        <PropagationDelay>PT30S</PropagationDelay><br>
...<br>
</div>
<div></zone><br>
</div>
<div><parent><br>
               <PropagationDelay>PT5H</PropagationDelay><br>
               <DS><TTL>P1D</TTL></DS><br>
               <SOA><TTL>P1D</TTL> <Minimum>P1D</Minimum></SOA><br>
</div>
<div></parent><br>
</div>
</div>
</div>
</div></div></div>
</div>
</div>

</blockquote></div><br></div>