[Opendnssec-user] key Lifetime and ManualRollover

Siôn Lloyd sion at nominet.org.uk
Wed Mar 25 08:57:24 UTC 2015


On 24/03/15 17:21, Emil Natan wrote:
> Hello,
> 
> I was just wondering what's the meaning of the Lifetime parameter when
> used with ManualRollover. I understand that the Lifetime is used when
> pregenerating keys for example to calculate the numbers of keys for a
> period, but if ManualRollover is set what the enforcer will do when
> the Lifetime limit is met (more than just send an alert)? I'm going to
> test this scenario in test environment, but I'm interested what other
> think about it.
> 
> Thanks.
> 
> Emil

Hi Emil,

as you suspect the key lifetime is still used for all the same
calculations and log messages as before; however with ManualRollover set
there is a requirement for user intervention to allow the rollover to
proceed.

If you want to roll keys when you need to and without any warnings then
you can set the lifetime to something larger than you would want. Say I
want to roll keys on the 1st January every year, I could set the
lifetime to 13 months so that I will only see log messages if I forgot
to initiate the rollover.

Sion




More information about the Opendnssec-user mailing list