[Opendnssec-user] Turn ksk in to no-retire

Siôn Lloyd sion at nominet.org.uk
Thu Jun 28 08:44:52 UTC 2012


On 27/06/12 13:24, Bas van den Dikkenberg wrote:
>
> Hi all,
>
> Is there a way to turn current active ksk in to an non Turn ksk in to 
> non-retiring key ?
>
> With kind regards,
>
> Bas van den Dikkenberg
>
>
>

Not for just one key; you can make a policy where the KSK lifetime is 
large, and set the "Manual Rollover" option. This will apply to _all_ 
KSKs on that policy however.

See:
https://wiki.opendnssec.org/display/DOCS/Key+Management#KeyManagement-Keyrolloversonexactdates

The reason to set the lifetime high in this case is just to stop log 
messages prompting you to roll the key, and possible auditor messages 
about the key use.

Sion
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20120628/380d66d4/attachment.htm>


More information about the Opendnssec-user mailing list