[Opendnssec-user] standby key no longer opendnssec 2.0

Yuri Schaeffer yuri at nlnetlabs.nl
Tue Nov 22 21:13:40 UTC 2016

> How can shorten the time of keystate generate to publish it's now 1 day .

You can lower <MaxZoneTTL> in the KASP. Default it is 1 day. The pace of
ZSK rollovers is mostly dictated by the TTL of the records, but the
enforcer component does not access the actual zone data. MaxZoneTTL is
used to indicate the longest TTL in your zone and prevents rollovers
happen to quickly. The signer by the way uses this value to cap TTLs in
the zone. So setting this value lower does not break your zone DNSSEC wise.

ODS 2.0 is more conservative than 1.4 in publishing the DNSKEY in a
newly added zone. This is the result of 2.0 being more flexible WRT
rollovers (i.e. support algorithm rollover).


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20161122/16883452/attachment.bin>

More information about the Opendnssec-user mailing list