[Opendnssec-user] Duration key mamagament

sion at nominet.org.uk sion at nominet.org.uk
Fri Feb 19 13:52:01 UTC 2010

> I make some test with OpenDNSSEC and I have some difficulty to configure
> the key rollover.
> There is 4 state for a key (Publish, Ready, Active and retire)
> Isn't it possible to configure the duration of each state ?
> e.g. :
> Publish P5D ->Ready P30D->Active P30D ->Retire P30D->DEAD
> With the actual configuration how do you make for have one key in each
> state ?
> eg:
> KEY1 : Publish >Ready >Active >Retire >DEAD
> KEY2 :                 Publish >Ready >Active >Retire >DEAD
> KEY3 :                                 Publish >Ready >Active>Retire
> ...
> I think it's important to always have a key in Ready state for the
> emergency rollover !
> Thanks for your answer

With the current settings you can configure how long a key is active for
(the key lifetime). You also have some influence over the publish and
retire times (by the publish and retire safety margins); however, the
actual values depend on other parameters, like the TTLs involved etc...

In the keys/KSK and keys/ZSK sections of kasp.xml you can set the "Standby"
option to 1 or more to have extra keys in the ready state to roll to.

Note that the details of the KSK management are currently being changed to
offer 3 different rollover schemes, these should appear in v1.1.


More information about the Opendnssec-user mailing list