[Opendnssec-user] Is KSK Lifetime 10Y too long to be accepted in OpenDNSSEC 2.1.3?
list-opendnssec-user at jyborn.se
list-opendnssec-user at jyborn.se
Mon Nov 5 14:45:50 UTC 2018
Hello!
I have installed OpenDNSSEC 2.1.3 and use it for
two domains so far.
>From my old server with OpenDNSSEC 1.3 I'm used to
having different "Date of next transition:" fields
for KSK and ZSK. In that server I have KSK Lifetime
set to P4Y and ZSK Lifetime set to P30D.
In the new server I wanted to set a higher interval
between KSK rolls, so I set it to P10Y. And ZSK Lifetime
is P90D, as it is the default in the OpenDNSSEC package
in FreeBSD.
But now I have exactly the same "Date of next transition:"
for KSK and ZSK for both domains. Both dates are 90 days
into the future.
I'm wondering if P10Y is too long to be accepted, and
because of that OpenDNSSEC somehow decided to default
to the same Lifetime for KSK as for ZSK?
Thanks!
Peter
More information about the Opendnssec-user
mailing list