[Opendnssec-user] Problem with KSK manual rollover
Erik P. Ostlyngen
erik.ostlyngen at uninett.no
Tue Mar 11 10:18:42 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/10/2014 01:50 PM, Jerry Lundström wrote:
> Hi Erik,
>
> On 10 Mar 2014, at 11:18 , Erik P. Ostlyngen
> <erik.ostlyngen at uninett.no> wrote:
>
>> I think it would be handy if one could configure OpenDNSSec
>> with KSKs to have a lifetime of e.g. 1 year and that rollover
>> should be completely manual. OpenDNSSec would then do nothing
>> when the key expires, other than logging warning messages,
>> waiting for the operator to initiate a rollover with a
>> 'ods-ksmutil key rollover' command or otherwise issue some
>> other command to extend the lifetime of the old key.
>
> As OpenDNSSEC was designed to handle keys automatically I do not
> see a point with adding the manual steps you are describing and
> the functionality you want already exists, just set the KSK
> lifetime to 10 or 100 years and manage the KSK rollover
> manually.
This is a good enough solution for me. Thanks for clearing these
things up. I'll use a 50 years lifetime. By then I'll be retired. 68
years seems to be the maximum on a 32 bit system.
>> Btw, is there a way to see how old a key is? This would be
>> useful in a setting where key rollover is manual.
>
> I don’t know if you can see exactly that somewhere but you can
> see when the next rollover and maybe you can see when the key was
> created/introduced somewhere and calculate how old it is.
I can of course read the expiry date and subtract the key lifetime.
Erik Østlyngen
UNINETT Norid
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iD8DBQFTHuMCwgUjaQfAj60RAl33AJ4uqZUSwyLbR0wLQNnmp9qVMSsSawCeL1sD
7/HgXdlCCjxCALQaKB7GLtM=
=KYbx
-----END PGP SIGNATURE-----
More information about the Opendnssec-user
mailing list