[Opendnssec-user] Duration key mamagament

Stéphane Diacquenod sdiacque at citic74.fr
Fri Feb 19 15:17:12 UTC 2010

On 19.02.2010 14:52, sion at nominet.org.uk wrote:
>> I make some test with OpenDNSSEC and I have some difficulty to configure
>> the key rollover.
>> There is 4 state for a key (Publish, Ready, Active and retire)
>> Isn't it possible to configure the duration of each state ?
>> e.g. :
>> Publish P5D ->Ready P30D->Active P30D ->Retire P30D->DEAD
>> With the actual configuration how do you make for have one key in each
>> state ?
>> eg:
>> KEY1 : Publish>Ready>Active>Retire>DEAD
>> KEY2 :                 Publish>Ready>Active>Retire>DEAD
>> KEY3 :                                 Publish>Ready>Active>Retire
>> ...
>> I think it's important to always have a key in Ready state for the
>> emergency rollover !
>> Thanks for your answer
> With the current settings you can configure how long a key is active for
> (the key lifetime). You also have some influence over the publish and
> retire times (by the publish and retire safety margins); however, the
> actual values depend on other parameters, like the TTLs involved etc...
> In the keys/KSK and keys/ZSK sections of kasp.xml you can set the "Standby"
> option to 1 or more to have extra keys in the ready state to roll to.
> Note that the details of the KSK management are currently being changed to
> offer 3 different rollover schemes, these should appear in v1.1.
> Sion
Thanks for your answer !
I have play with the kasp.conf file and the option TTL, etc
It's mor clear for me now, thanks.
But I think there in a problème with the Standby option.
If I put KSK Stanbby = 5 et ZSK standby = 0, I have 6 KSK and 6 ZSK (1 
Active + 5 publish)
If I put KSK Stanbby = 0 et ZSK standby = 5, I have 1 KSK and 6 ZSK (1 
Active + 0 publish)

I think Standby parameter of KSK is keep for ZSK.

Say me if I have wrong.

Stéphane Diacquenod
Apprenti Ingénieur

More information about the Opendnssec-user mailing list