[Opendnssec-user] Is KSK Lifetime 10Y too long to be accepted in OpenDNSSEC 2.1.3?

list-opendnssec-user at jyborn.se list-opendnssec-user at jyborn.se
Mon Nov 5 20:43:22 UTC 2018


On Mon, Nov 05, 2018 at 07:44:58PM +0100, Michael Grimm wrote:
> On 5. Nov 2018, at 15:45, list-opendnssec-user at jyborn.se wrote:
> 
> > I'm wondering if P10Y is too long to be accepted, and
> > because of that OpenDNSSEC somehow decided to default
> > to the same Lifetime for KSK as for ZSK?
> 
> Yes, 10 years should work. I do have the same settings regarding KSK:
> 
>   <Keys>
>          <!-- Parameters for both KSK and ZSK -->
>  <TTL>PT3600S</TTL>
>  <RetireSafety>PT3600S</RetireSafety>
>  <PublishSafety>PT3600S</PublishSafety>
>  <Purge>P14D</Purge>
> 
>  <!-- Parameters for KSK only -->
>  <KSK>
>  <Algorithm length="2048">8</Algorithm>
> here --> <Lifetime>P10Y</Lifetime>
>  <Repository>SoftHSM</Repository>
>  </KSK>
> 
>  <!-- Parameters for ZSK only -->
>  <ZSK>
>  <Algorithm length="2048">8</Algorithm>
>  <Lifetime>P120D</Lifetime><!--GRIMM (end)-->
>  <Repository>SoftHSM</Repository>
>  </ZSK>
>  </Keys>
> 
> HTH and regards,
> Michael

That is almost exactly the same Keys config as I have
in kasp.xml. Only differences are that my ZSK Lifetime
is P90D and my ZSK Algorithm length is 1024.

The strange thing is that my KSK keys only have 90 days 
until next transition from when they were created, as shown
with this command (output somewhat edited):

$ ods-enforcer key list -v
Keys:
Zone:   Keytype: State:  Date of next transition: Size: Algorithm:
xxx.se  KSK      active  2019-01-03 13:35:10      2048  8
xxx.se  ZSK      active  2019-01-03 13:35:10      1024  8
yyy.se  KSK      active  2019-01-03 14:38:48      2048  8
yyy.se  ZSK      active  2019-01-03 14:38:48      1024  8

Do you see differing next transition dates for KSK and ZSK
with that command?

Or should that command not be used in OpenDNSSEC 2.1.3?

Thanks!

Peter



More information about the Opendnssec-user mailing list