[Opendnssec-user] Retired keys

Marco Davids (SIDN) marco.davids at sidn.nl
Wed Jul 7 12:05:12 UTC 2010

On 2010-07-07 09:07, Sion Lloyd wrote:
>> However, in spite of short timing-settings, the number of retired ZSK's
>> is increasing, because their next transition time is always one week
>> ahead, no matter what I try to shorten this.
>> I fiddled around with a number of options, in particular the
>> RetireSafety setting, but so far without luck.
>> What am I missing here?
> The time that a key is in the retire state is given by the signature lifetime 
> + the propagation delay + the retire safety margin (and strictly we should add 
> jitter in too).

Yep, that was it; signature lifetime was still at P7D. Thank you!

It might be interesting to extend ods-ksmutil with an option that draws
a kind of timeline similar to:


Only then with the actual configured values included.



More information about the Opendnssec-user mailing list