[Opendnssec-user] Problem with KSK manual rollover
Jerry Lundström
jerry at opendnssec.org
Mon Mar 10 12:50:49 UTC 2014
Hi Erik,
On 10 Mar 2014, at 11:18 , Erik P. Ostlyngen <erik.ostlyngen at uninett.no> wrote:
> I think it would be handy if one could configure OpenDNSSec with KSKs
> to have a lifetime of e.g. 1 year and that rollover should be
> completely manual. OpenDNSSec would then do nothing when the key
> expires, other than logging warning messages, waiting for the operator
> to initiate a rollover with a 'ods-ksmutil key rollover' command or
> otherwise issue some other command to extend the lifetime of the old
> key.
As OpenDNSSEC was designed to handle keys automatically I do not see a point with adding the manual steps you are describing and the functionality you want already exists, just set the KSK lifetime to 10 or 100 years and manage the KSK rollover manually.
> Btw, is there a way to see how old a key is? This would be useful
> in a setting where key rollover is manual.
I don’t know if you can see exactly that somewhere but you can see when the next rollover and maybe you can see when the key was created/introduced somewhere and calculate how old it is.
--
Jerry Lundström - OpenDNSSEC Developer
http://www.opendnssec.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 625 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140310/3f91182b/attachment.bin>
More information about the Opendnssec-user
mailing list