[Opendnssec-user] Retired keys
sion at nominet.org.uk
Wed Jul 7 07:07:37 UTC 2010
> However, in spite of short timing-settings, the number of retired ZSK's
> is increasing, because their next transition time is always one week
> ahead, no matter what I try to shorten this.
> I fiddled around with a number of options, in particular the
> RetireSafety setting, but so far without luck.
> What am I missing here?
The time that a key is in the retire state is given by the signature lifetime
+ the propagation delay + the retire safety margin (and strictly we should add
jitter in too).
If this doesn't match what you are seeing then if you send me a copy of your
kasp.db I can have a look at what is going on.
More information about the Opendnssec-user