[Opendnssec-user] ZSK in use too long
Gilles Massen
gilles.massen at restena.lu
Wed Jun 22 12:21:45 UTC 2011
Hello Caspar,
On 06/22/2011 11:49 AM, Casper Gielen wrote:
> My logs regularly show them message "ZSK ... in use too long" as in
> example below. I thought this was a problem. A little investigation
> shows that this key has already been retired.
> So my conclusion is that everything is fine.
I notice this regularly, and my conclusion is the same: no harm. Tt
seems that the auditor has a stricter interpretation of a key's
lifetime, and uses <Lifetime>, but the signed zones may contain
signatures up to <Lifetime>+<Validity>-<Refresh>.
Best,
Gilles
--
Fondation RESTENA - DNS-LU
6, rue Coudenhove-Kalergi
L-1359 Luxembourg
tel: (+352) 424409
fax: (+352) 422473
More information about the Opendnssec-user
mailing list