[Opendnssec-user] Retired keys
Marco Davids (SIDN)
marco.davids at sidn.nl
Wed Jul 7 12:05:12 UTC 2010
On 2010-07-07 09:07, Sion Lloyd wrote:
>> However, in spite of short timing-settings, the number of retired ZSK's
>> is increasing, because their next transition time is always one week
>> ahead, no matter what I try to shorten this.
>>
>> I fiddled around with a number of options, in particular the
>> RetireSafety setting, but so far without luck.
>>
>> What am I missing here?
>
> The time that a key is in the retire state is given by the signature lifetime
> + the propagation delay + the retire safety margin (and strictly we should add
> jitter in too).
Yep, that was it; signature lifetime was still at P7D. Thank you!
It might be interesting to extend ods-ksmutil with an option that draws
a kind of timeline similar to:
http://trac.opendnssec.org/attachment/wiki/Signer/Using/Configuration/kasp/signature-lifetime.png
Only then with the actual configured values included.
Regards,
--
Marco
More information about the Opendnssec-user
mailing list