[Opendnssec-user] key Lifetime and ManualRollover
Emil Natan
shlyoko at gmail.com
Wed Mar 25 10:35:32 UTC 2015
Hi Sion,
Thank you for the reply. That's exactly what I did, but I was more
concerned what will happen if we forget about the rollover and the alerts
are missed for some reason. Of course I can give it a bit more buffer, but
if the rollover is missed at some point I presume the key will be marked
retired and the DNSKEY not signed in the case if KSK. Is that right?
Emil
On Wed, Mar 25, 2015 at 10:57 AM, Siôn Lloyd <sion at nominet.org.uk> wrote:
> On 24/03/15 17:21, Emil Natan wrote:
> > Hello,
> >
> > I was just wondering what's the meaning of the Lifetime parameter when
> > used with ManualRollover. I understand that the Lifetime is used when
> > pregenerating keys for example to calculate the numbers of keys for a
> > period, but if ManualRollover is set what the enforcer will do when
> > the Lifetime limit is met (more than just send an alert)? I'm going to
> > test this scenario in test environment, but I'm interested what other
> > think about it.
> >
> > Thanks.
> >
> > Emil
>
> Hi Emil,
>
> as you suspect the key lifetime is still used for all the same
> calculations and log messages as before; however with ManualRollover set
> there is a requirement for user intervention to allow the rollover to
> proceed.
>
> If you want to roll keys when you need to and without any warnings then
> you can set the lifetime to something larger than you would want. Say I
> want to roll keys on the 1st January every year, I could set the
> lifetime to 13 months so that I will only see log messages if I forgot
> to initiate the rollover.
>
> Sion
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20150325/62551c09/attachment.htm>
More information about the Opendnssec-user
mailing list