<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi,<br>
<br>
What do you have set as the run interval of the enforcer? (This is
set in kasp.xml) The run interval needs to be short compared to
your other timers or else you will get interactions between them.
<br>
<br>
Another way this sort of issue can be caused is having a key
lifetime that is short compared to other timers; this makes it
tricky to publish keys long enough in advance so that they are
ready to take over.<br>
<br>
The other possibility is that the enforcer didn't run for some
time and is now catching up; check your logs for any messages that
may indicate issues.<br>
<br>
As you say, the ZSK listed in the middle will remain active until
the published key is ready to take over; extending its lifetime.<br>
<br>
Sion<br>
<br>
On 16/05/14 11:00, Javier Jiménez Huedo wrote:<br>
</div>
<blockquote
cite="mid:CAK6zKteq82dB3p0iAn=wuTidRz0m_+MgKdvAqwJ49=0JJPHhPA@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div dir="ltr">Thanks Sion,<br>
<br>
The information was very useful for my ;-)<br>
<br>
However, something strange is happening with the rollover times:<br>
<br>
<br>
KSK active 2014-05-20 17:05:53 (retire)<br>
KSK publish 2014-05-19 10:47:20 (ready)<br>
<br>
ZSK retire 2014-05-18 16:02:20 (dead)<br>
ZSK active 2014-05-16 11:18:26 (retire)<br>
ZSK publish 2014-05-18 19:14:46 (ready)<br>
<br>
<br>
ZSK active key goes to "retire" status before the new ZSK key
changes to "ready" status…<br>
<br>
Something similar happens with the KSK key.<br>
<br>
I think the current active key must continue as "active" till
the next key can be "ready" ... Is that correct? <br>
<br>
Why these inconsistencies appear?<br>
<br>
I tried that new keys to be published several days before the
rollover takes place. The only way (I have found) to achieve
that is by modifying "PropagationDelay" parameter of the "zone"
section for the ZSK and the "Parent" for the KSK key.<br>
<br>
Is it correct? Does exists any other way to do that?<br>
<br>
Thank you very much</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">2014-05-14 14:57 GMT+02:00 Sion Lloyd <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:sion@nominet.org.uk" target="_blank">sion@nominet.org.uk</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div
style="direction:ltr;font-family:Tahoma;color:#000000;font-size:10pt">To
paraphrase the key timings draft:<br>
<br>
* A key in the "publish" state moves into the
"ready" state when it has<br>
* been published for at least:<br>
*<br>
* Ipc = TTLkeyc + Dpc +Sp<br>
*<br>
* ... where:<br>
*<br>
* TTLkeyc = TTL of the ZSK DNSKEY record<br>
* Dpc = Propagation delay<br>
* Sp = Publish Safety Margin<br>
*<br>
<br>
OpenDNSSEC will attempt to publish a key at least this
far ahead of the previous ZSK's retire time. It is
slightly complicated by the run interval of the
enforcer, so might be a bit earlier.<br>
<br>
Generation may be as required (i.e. it will be generated
and published at the same time) or you may generate a
whole batch of keys ahead of schedule.<br>
<br>
Sion<br>
<br>
<div style="font-family:Times New
Roman;color:#000000;font-size:16px">
<hr>
<div style="direction:ltr"><font color="#000000"
face="Tahoma"><b>From:</b> <a
moz-do-not-send="true"
href="mailto:opendnssec-user-bounces@lists.opendnssec.org"
target="_blank">opendnssec-user-bounces@lists.opendnssec.org</a>
[<a moz-do-not-send="true"
href="mailto:opendnssec-user-bounces@lists.opendnssec.org"
target="_blank">opendnssec-user-bounces@lists.opendnssec.org</a>]
on behalf of Javier Jiménez Huedo [<a
moz-do-not-send="true"
href="mailto:bodegax@gmail.com" target="_blank">bodegax@gmail.com</a>]<br>
<b>Sent:</b> 13 May 2014 13:18<br>
<b>To:</b> <a moz-do-not-send="true"
href="mailto:opendnssec-user@lists.opendnssec.org"
target="_blank">opendnssec-user@lists.opendnssec.org</a><br>
<b>Subject:</b> [Opendnssec-user] How to calc new
ZSK / KSK and pre-publish date<br>
</font><br>
</div>
<div>
<div class="h5">
<div>
<div dir="ltr">Dear OpenDNSSEC users,<br>
<div><br>
I am confused about the following behavior
of openDNSSEC:<br>
<br>
I have the following ZSK active key:<br>
<br>
Key type State: Next transition:<br>
ZSK active 2014-05-19 16:02:20
(retire) <br>
<br>
<div>KSK Lifetime P20D<br>
</div>
ZSK LifeTime P10D<br>
<br>
<br>
</div>
<div><span lang="en"><span>How</span> <span>
I can</span> <span>calculate the date</span>
<span>of</span> <span>
generation of the</span> <span>next</span>
<span>ZSK</span> <span>
key</span><span>?</span> <br>
<span>How</span> <span>I can</span> <span>calculate
the date</span>
<span>of</span> <span>pre</span><span>-publication</span>
<span>next</span> <span>ZSK</span> <span>key</span><span>?</span></span></div>
<div><br>
Kasp.xml:<br>
<br>
<Signatures><br>
<Resign>PT5H</Resign><br>
<Refresh>P2D</Refresh><br>
<Validity> <br>
<Default>P5D</Default><br>
<Denial>P5D</Denial><br>
</Validity><br>
<InceptionOffset>PT3600S</InceptionOffset><br>
...<br>
<Signatures><br>
<br>
<br>
<keys><br>
<TTL>PT3600S</TTL><br>
<PublishSafety>PT1H</PublishSafety>
<br>
...<br>
</div>
</keys><br>
<div><Zone><br>
<PropagationDelay>PT30S</PropagationDelay><br>
...<br>
</div>
<div></zone><br>
</div>
<div><parent><br>
<PropagationDelay>PT5H</PropagationDelay><br>
<DS><TTL>P1D</TTL></DS><br>
<SOA><TTL>P1D</TTL>
<Minimum>P1D</Minimum></SOA><br>
</div>
<div></parent><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>