[Opendnssec-user] retire period / signature lifetime

Maurice Mahieu maurice at info.nl
Thu May 1 15:09:53 CEST 2014


Dear  opendnssec users,

I am confused about the following behaviour of opendnssec.

I noticed that the signature validity  time gets added to the retire 
period for keys. I am wondering why this is ?
I have a TTL of 1 hour for the keys.  My signature validity  time is 28  
days.  With a TTL of 1H  for the keys I think that normally it would be 
safe for the old ZSK to stay in the retire state for a few hours and 
then be marked dead. But now it wil be in the retire state for 28 days. 
I think this is strange. Or am I missing something ?


With kind regards

-- 
Maurice Mahieu
System Engineer  | maurice at info.nl <mailto:maurice at info.nl>
info.nl <http://www.info.nl> /connecting the dots/ 
<http://www.info.nl/nl?utm_source=e-mail_sig&utm_medium=e-mail&utm_term=connecting_the_dots&utm_campaign=info_sig> 

Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  | +31 (0)20 530 91 11 
<tel:+31205309111>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140501/bbbaa8c5/attachment.html>


More information about the Opendnssec-user mailing list