[Opendnssec-user] Max KSK lifetime

Siôn Lloyd sion at nominet.org.uk
Wed Nov 14 15:12:46 UTC 2012

On 14/11/12 14:56, Thomas Dupas wrote:
> Hi everyone,
> Is there an (intended) hard limit on the max ksk lifetime, in opendnssec 1.4.0 b1?
> I wanted to extend the default 1Y lifetime to 2Y .. but opendnssec didn't agree with me:
> "WARNING: In policy default, Y used in duration field for Keys/KSK Lifetime (P2Y) in /etc/opendnssec/kasp.xml - this will be interpreted as 365 days"
> If I want it to be indefinite / untill it is deemed necessary, should I put it to 10Y, or 0, or ..?
> Br,
> Thomas_______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

That message is just warning that the "Y" is read as 365 days, so it
doesn't know about leap-years.

The maximum key lifetime is determined by the size of an int on your
system, for 32 bit systems this equates to ~68 years.


More information about the Opendnssec-user mailing list