[Opendnssec-user] ZSK in use too long

Casper Gielen c.gielen at uvt.nl
Wed Jun 22 09:49:59 UTC 2011


Hello,
this mail is written to clarify a message from my logs. I don't think
there is a problem, just a slightly harsh sounding message.

My logs regularly show them message "ZSK ... in use too long" as in
example below. I thought this was a problem. A little investigation
shows that this key has already been retired.
So my conclusion is that everything is fine.

(for the record: today is 2011-06-22)

ods-auditor[19448]: Auditor started
ods-auditor[19448]: Auditor starting on example.com
ods-auditor[19448]: SOA differs : from 2010090270 to 2011062200
ods-auditor[19448]: Auditing example.com zone : NSEC3 SIGNED
ods-auditor[19448]: ZSK 22173 in use too long - should be max 2595600 seconds but has been 2737322 seconds
ods-auditor[19448]: Finished auditing example.com zone


root at ramanujan:~# ods-ksmutil key list --zone example.com    
Keys:
Zone:                        Keytype:      State:    Date of next transition:
example.com                  ZSK           retire    2011-06-27 20:30:12       
example.com                  ZSK           active    2011-07-20 19:00:12       
example.com                  ZSK           ready     next rollover             
example.com                  ZSK           ready     next rollover             
example.com                  KSK           dsready   When required             
example.com                  KSK           dsready   When required             
example.com                  KSK           active    2012-04-26 13:56:39       
example.com                  ZSK           ready     next rollover             
example.com                  ZSK           ready     next rollover     


Can anyone verify that this is normal behaviour
-- 
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20110622/5d6cd324/attachment.bin>


More information about the Opendnssec-user mailing list