<div dir="ltr">That was very helpful and exactly what I wanted to hear. Thank you.<div><br></div><div>Emil</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 26, 2015 at 12:03 PM, Siôn Lloyd <span dir="ltr"><<a href="mailto:sion@nominet.org.uk" target="_blank">sion@nominet.org.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 25/03/15 10:35, Emil Natan wrote:<br>
> Hi Sion,<br>
><br>
> Thank you for the reply. That's exactly what I did, but I was more<br>
> concerned what will happen if we forget about the rollover and the<br>
> alerts are missed for some reason. Of course I can give it a bit more<br>
> buffer, but if the rollover is missed at some point I presume the key<br>
> will be marked retired and the DNSKEY not signed in the case if KSK. Is<br>
> that right?<br>
<br>
</span>No, the key will not be retired until there is a suitable replacement<br>
available... The system will nag you but no more.<br>
<br>
This is true for manual rollover set or not; in fact the KSK rollover<br>
already has the manual step of the "ds-seen" command being issued. You<br>
could, in theory, never run this command and the system will continue to<br>
use the old key.<br>
<br>
Sion<br>
<span class=""><br>
<br>
><br>
> Emil<br>
><br>
> On Wed, Mar 25, 2015 at 10:57 AM, Siôn Lloyd <<a href="mailto:sion@nominet.org.uk">sion@nominet.org.uk</a><br>
</span><div><div class="h5">> <mailto:<a href="mailto:sion@nominet.org.uk">sion@nominet.org.uk</a>>> wrote:<br>
><br>
> On 24/03/15 17:21, Emil Natan wrote:<br>
> > Hello,<br>
> ><br>
> > I was just wondering what's the meaning of the Lifetime parameter when<br>
> > used with ManualRollover. I understand that the Lifetime is used when<br>
> > pregenerating keys for example to calculate the numbers of keys for a<br>
> > period, but if ManualRollover is set what the enforcer will do when<br>
> > the Lifetime limit is met (more than just send an alert)? I'm going to<br>
> > test this scenario in test environment, but I'm interested what other<br>
> > think about it.<br>
> ><br>
> > Thanks.<br>
> ><br>
> > Emil<br>
><br>
> Hi Emil,<br>
><br>
> as you suspect the key lifetime is still used for all the same<br>
> calculations and log messages as before; however with ManualRollover set<br>
> there is a requirement for user intervention to allow the rollover to<br>
> proceed.<br>
><br>
> If you want to roll keys when you need to and without any warnings then<br>
> you can set the lifetime to something larger than you would want. Say I<br>
> want to roll keys on the 1st January every year, I could set the<br>
> lifetime to 13 months so that I will only see log messages if I forgot<br>
> to initiate the rollover.<br>
><br>
> Sion<br>
><br>
> _______________________________________________<br>
> Opendnssec-user mailing list<br>
> <a href="mailto:Opendnssec-user@lists.opendnssec.org">Opendnssec-user@lists.opendnssec.org</a><br>
</div></div>> <mailto:<a href="mailto:Opendnssec-user@lists.opendnssec.org">Opendnssec-user@lists.opendnssec.org</a>><br>
> <a href="https://lists.opendnssec.org/mailman/listinfo/opendnssec-user" target="_blank">https://lists.opendnssec.org/mailman/listinfo/opendnssec-user</a><br>
<div class="HOEnZb"><div class="h5">><br>
><br>
><br>
><br>
> _______________________________________________<br>
> Opendnssec-user mailing list<br>
> <a href="mailto:Opendnssec-user@lists.opendnssec.org">Opendnssec-user@lists.opendnssec.org</a><br>
> <a href="https://lists.opendnssec.org/mailman/listinfo/opendnssec-user" target="_blank">https://lists.opendnssec.org/mailman/listinfo/opendnssec-user</a><br>
><br>
<br>
_______________________________________________<br>
Opendnssec-user mailing list<br>
<a href="mailto:Opendnssec-user@lists.opendnssec.org">Opendnssec-user@lists.opendnssec.org</a><br>
<a href="https://lists.opendnssec.org/mailman/listinfo/opendnssec-user" target="_blank">https://lists.opendnssec.org/mailman/listinfo/opendnssec-user</a><br>
</div></div></blockquote></div><br></div>