[Opendnssec-user] ZSK in use too long
Alex Dalitz
AlexD at nominet.org.uk
Thu Aug 4 15:12:34 UTC 2011
Hi -
On 22 Jun 2011, at 13:21, Gilles Massen wrote:
>> My logs regularly show them message "ZSK ... in use too long" as in
>> example below. I thought this was a problem. A little investigation
>> shows that this key has already been retired.
>> So my conclusion is that everything is fine.
>
> I notice this regularly, and my conclusion is the same: no harm. Tt
> seems that the auditor has a stricter interpretation of a key's
> lifetime, and uses <Lifetime>, but the signed zones may contain
> signatures up to <Lifetime>+<Validity>-<Refresh>.
The auditor specification has been changed to add the signature validity period to the checks. This is reflected in svn trunk.
Thanks,
Alex.
More information about the Opendnssec-user
mailing list