[Opendnssec-user] key Lifetime and ManualRollover

Emil Natan shlyoko at gmail.com
Thu Mar 26 10:39:39 UTC 2015 

That was very helpful and exactly what I wanted to hear. Thank you.

Emil

On Thu, Mar 26, 2015 at 12:03 PM, Siôn Lloyd <sion at nominet.org.uk> wrote:

> On 25/03/15 10:35, Emil Natan wrote:
> > Hi Sion,
> >
> > Thank you for the reply. That's exactly what I did, but I was more
> > concerned what will happen if we forget about the rollover and the
> > alerts are missed for some reason. Of course I can give it a bit more
> > buffer, but if the rollover is missed at some point I presume the key
> > will be marked retired and the DNSKEY not signed in the case if KSK. Is
> > that right?
>
> No, the key will not be retired until there is a suitable replacement
> available... The system will nag you but no more.
>
> This is true for manual rollover set or not; in fact the KSK rollover
> already has the manual step of the "ds-seen" command being issued. You
> could, in theory, never run this command and the system will continue to
> use the old key.
>
> Sion
>
>
> >
> > Emil
> >
> > On Wed, Mar 25, 2015 at 10:57 AM, Siôn Lloyd <sion at nominet.org.uk
> > <mailto:sion at nominet.org.uk>> wrote:
> >
> >     On 24/03/15 17:21, Emil Natan wrote:
> >     > Hello,
> >     >
> >     > I was just wondering what's the meaning of the Lifetime parameter
> when
> >     > used with ManualRollover. I understand that the Lifetime is used
> when
> >     > pregenerating keys for example to calculate the numbers of keys
> for a
> >     > period, but if ManualRollover is set what the enforcer will do when
> >     > the Lifetime limit is met (more than just send an alert)? I'm
> going to
> >     > test this scenario in test environment, but I'm interested what
> other
> >     > think about it.
> >     >
> >     > Thanks.
> >     >
> >     > Emil
> >
> >     Hi Emil,
> >
> >     as you suspect the key lifetime is still used for all the same
> >     calculations and log messages as before; however with ManualRollover
> set
> >     there is a requirement for user intervention to allow the rollover to
> >     proceed.
> >
> >     If you want to roll keys when you need to and without any warnings
> then
> >     you can set the lifetime to something larger than you would want.
> Say I
> >     want to roll keys on the 1st January every year, I could set the
> >     lifetime to 13 months so that I will only see log messages if I
> forgot
> >     to initiate the rollover.
> >
> >     Sion
> >
> >     _______________________________________________
> >     Opendnssec-user mailing list
> >     Opendnssec-user at lists.opendnssec.org
> >     <mailto:Opendnssec-user at lists.opendnssec.org>
> >     https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> >
> >
> >
> >
> > _______________________________________________
> > Opendnssec-user mailing list
> > Opendnssec-user at lists.opendnssec.org
> > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> >
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20150326/bbaa0a9d/attachment.htm>

More information about the Opendnssec-user mailing list