[Opendnssec-user] key state

Siôn Lloyd sion at nominet.org.uk
Wed Jul 23 09:23:16 UTC 2014


On 22/07/14 15:54, Jens Link wrote:
> Hi,
>
> maybe I'm missing something in the documentation but is there a (good)
> way to speed up the transition of a key from publish to active? 
>  
> kind regards, 
>
> Jens

Assuming that the configuration you have is realistic then the answer
may be no...

This transition relies on:

The TTL (of the ZSK DNSKEY record or the DS in the parent for the KSK),
The propagation delay,
and
The publish safety margin.

Of these values only the first is deterministic, the second is a best
guess and the final value is to cover any contingencies.

One question though is why you want to do this? If you are testing then
these values can be set very low; if you are live then I'd _strongly_
recommend against doing that or you may well start using keys before
they are ready.

Sion



More information about the Opendnssec-user mailing list