[Opendnssec-user] Retired keys

Sion Lloyd sion at nominet.org.uk
Wed Jul 7 07:07:37 UTC 2010

> However, in spite of short timing-settings, the number of retired ZSK's
> is increasing, because their next transition time is always one week
> ahead, no matter what I try to shorten this.
> I fiddled around with a number of options, in particular the
> RetireSafety setting, but so far without luck.
> What am I missing here?

The time that a key is in the retire state is given by the signature lifetime 
+ the propagation delay + the retire safety margin (and strictly we should add 
jitter in too).

If this doesn't match what you are seeing then if you send me a copy of your 
kasp.db I can have a look at what is going on.


More information about the Opendnssec-user mailing list