[Opendnssec-user] ZSK in use too long

Gilles Massen gilles.massen at restena.lu
Wed Jun 22 14:21:45 CEST 2011


Hello Caspar,

On 06/22/2011 11:49 AM, Casper Gielen wrote:
> My logs regularly show them message "ZSK ... in use too long" as in
> example below. I thought this was a problem. A little investigation
> shows that this key has already been retired.
> So my conclusion is that everything is fine.

I notice this regularly, and my conclusion is the same: no harm. Tt
seems that the auditor has a stricter interpretation of a key's
lifetime, and uses <Lifetime>, but the signed zones may contain
signatures up to <Lifetime>+<Validity>-<Refresh>.

Best,
Gilles

-- 
Fondation RESTENA - DNS-LU
6, rue Coudenhove-Kalergi
L-1359 Luxembourg
tel: (+352) 424409
fax: (+352) 422473



More information about the Opendnssec-user mailing list