[Opendnssec-user] Max KSK lifetime

Thomas Dupas thomas at dupas.be
Wed Nov 14 14:56:11 UTC 2012

Hi everyone,

Is there an (intended) hard limit on the max ksk lifetime, in opendnssec 1.4.0 b1?

I wanted to extend the default 1Y lifetime to 2Y .. but opendnssec didn't agree with me:
"WARNING: In policy default, Y used in duration field for Keys/KSK Lifetime (P2Y) in /etc/opendnssec/kasp.xml - this will be interpreted as 365 days"

If I want it to be indefinite / untill it is deemed necessary, should I put it to 10Y, or 0, or ..?



More information about the Opendnssec-user mailing list