[Opendnssec-user] Is KSK Lifetime 10Y too long to be accepted in OpenDNSSEC 2.1.3?
Michael Grimm
trashcan at ellael.org
Mon Nov 5 18:44:58 UTC 2018
On 5. Nov 2018, at 15:45, list-opendnssec-user at jyborn.se wrote:
> I'm wondering if P10Y is too long to be accepted, and
> because of that OpenDNSSEC somehow decided to default
> to the same Lifetime for KSK as for ZSK?
Yes, 10 years should work. I do have the same settings regarding KSK:
<Keys>
<!-- Parameters for both KSK and ZSK -->
<TTL>PT3600S</TTL>
<RetireSafety>PT3600S</RetireSafety>
<PublishSafety>PT3600S</PublishSafety>
<Purge>P14D</Purge>
<!-- Parameters for KSK only -->
<KSK>
<Algorithm length="2048">8</Algorithm>
here --> <Lifetime>P10Y</Lifetime>
<Repository>SoftHSM</Repository>
</KSK>
<!-- Parameters for ZSK only -->
<ZSK>
<Algorithm length="2048">8</Algorithm>
<Lifetime>P120D</Lifetime><!--GRIMM (end)-->
<Repository>SoftHSM</Repository>
</ZSK>
</Keys>
HTH and regards,
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20181105/ff3b1558/attachment.htm>
More information about the Opendnssec-user
mailing list