[Opendnssec-user] Problem with KSK manual rollover
Erik P. Ostlyngen
erik.ostlyngen at uninett.no
Mon Mar 10 07:52:46 UTC 2014
On 03/10/2014 08:25 AM, Jerry Lundström wrote:
> Hi Erik,
>
>> My reason for having a 4h key lifetime here is that I wanted to
>> observe what OpenDNSSec does at the time of key rollover. The
>> question (which was not so clear in my first message) is whether
>> the ManualRollover tag prevents OpenDNSSec from initiating an
>> automatic rollover when the key expires? That is what I expected,
>> but OpenDNSSec seems to roll the key regardless of the
>> ManualRollover tag. Maybe the tag has a different purpose than
>> what I thought it had?
>
> From what you said in your previous email everything is working as
> it should. It did not roll the KSK but it prepared a new KSK for
> you to roll to since you have 4h lifetime. If you don't wish to
> have that behavior you need to set a lifetime like 10-100 years.
I understand. We'll use a 10 years or longer lifetime then. What
confused me is that OpenDNSSec created a new key and published it in
my zonefile, waiting for me to complete the rollover by issuing a
ds-seen command. This looks very similar to the automatic KSK rollover
(which also stops waiting for me to issue a ds-seen command). This
makes me wonder what difference the ManualRollover tag makes.
Erik Østlyngen
UNINETT Norid
More information about the Opendnssec-user
mailing list