[Opendnssec-user] ZSK in use too long

Alex Dalitz AlexD at nominet.org.uk
Thu Aug 4 15:12:34 UTC 2011

Hi - 

On 22 Jun 2011, at 13:21, Gilles Massen wrote:

>> My logs regularly show them message "ZSK ... in use too long" as in
>> example below. I thought this was a problem. A little investigation
>> shows that this key has already been retired.
>> So my conclusion is that everything is fine.
> I notice this regularly, and my conclusion is the same: no harm. Tt
> seems that the auditor has a stricter interpretation of a key's
> lifetime, and uses <Lifetime>, but the signed zones may contain
> signatures up to <Lifetime>+<Validity>-<Refresh>.

The auditor specification has been changed to add the signature validity period to the checks. This is reflected in svn trunk.



More information about the Opendnssec-user mailing list