[Opendnssec-user] key Lifetime and ManualRollover

Siôn Lloyd sion at nominet.org.uk
Thu Mar 26 10:03:33 UTC 2015 

On 25/03/15 10:35, Emil Natan wrote:
> Hi Sion,
> 
> Thank you for the reply. That's exactly what I did, but I was more
> concerned what will happen if we forget about the rollover and the
> alerts are missed for some reason. Of course I can give it a bit more
> buffer, but if the rollover is missed at some point I presume the key
> will be marked retired and the DNSKEY not signed in the case if KSK. Is
> that right?

No, the key will not be retired until there is a suitable replacement
available... The system will nag you but no more.

This is true for manual rollover set or not; in fact the KSK rollover
already has the manual step of the "ds-seen" command being issued. You
could, in theory, never run this command and the system will continue to
use the old key.

Sion


> 
> Emil
> 
> On Wed, Mar 25, 2015 at 10:57 AM, Siôn Lloyd <sion at nominet.org.uk
> <mailto:sion at nominet.org.uk>> wrote:
> 
>     On 24/03/15 17:21, Emil Natan wrote:
>     > Hello,
>     >
>     > I was just wondering what's the meaning of the Lifetime parameter when
>     > used with ManualRollover. I understand that the Lifetime is used when
>     > pregenerating keys for example to calculate the numbers of keys for a
>     > period, but if ManualRollover is set what the enforcer will do when
>     > the Lifetime limit is met (more than just send an alert)? I'm going to
>     > test this scenario in test environment, but I'm interested what other
>     > think about it.
>     >
>     > Thanks.
>     >
>     > Emil
> 
>     Hi Emil,
> 
>     as you suspect the key lifetime is still used for all the same
>     calculations and log messages as before; however with ManualRollover set
>     there is a requirement for user intervention to allow the rollover to
>     proceed.
> 
>     If you want to roll keys when you need to and without any warnings then
>     you can set the lifetime to something larger than you would want. Say I
>     want to roll keys on the 1st January every year, I could set the
>     lifetime to 13 months so that I will only see log messages if I forgot
>     to initiate the rollover.
> 
>     Sion
> 
>     _______________________________________________
>     Opendnssec-user mailing list
>     Opendnssec-user at lists.opendnssec.org
>     <mailto:Opendnssec-user at lists.opendnssec.org>
>     https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 
> 
> 
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>

More information about the Opendnssec-user mailing list