[Opendnssec-user] retire period / signature lifetime

Maurice Mahieu maurice at info.nl
Thu May 1 13:09:53 UTC 2014

Dear  opendnssec users,

I am confused about the following behaviour of opendnssec.

I noticed that the signature validity  time gets added to the retire 
period for keys. I am wondering why this is ?
I have a TTL of 1 hour for the keys.  My signature validity  time is 28  
days.  With a TTL of 1H  for the keys I think that normally it would be 
safe for the old ZSK to stay in the retire state for a few hours and 
then be marked dead. But now it wil be in the retire state for 28 days. 
I think this is strange. Or am I missing something ?

With kind regards

Maurice Mahieu
System Engineer  | maurice at info.nl <mailto:maurice at info.nl>
info.nl <http://www.info.nl> /connecting the dots/ 

Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  | +31 (0)20 530 91 11 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140501/bbbaa8c5/attachment.htm>

More information about the Opendnssec-user mailing list