[Opendnssec-user] Is KSK Lifetime 10Y too long to be accepted in OpenDNSSEC 2.1.3?
Michael Grimm
trashcan at ellael.org
Mon Nov 5 21:19:03 UTC 2018
On 5. Nov 2018, at 21:43, list-opendnssec-user at jyborn.se wrote:
> On Mon, Nov 05, 2018 at 07:44:58PM +0100, Michael Grimm wrote:
>> On 5. Nov 2018, at 15:45, list-opendnssec-user at jyborn.se wrote:
>>> I'm wondering if P10Y is too long to be accepted, and
>>> because of that OpenDNSSEC somehow decided to default
>>> to the same Lifetime for KSK as for ZSK?
>>
>> Yes, 10 years should work. I do have the same settings regarding KSK:
[snip]
> That is almost exactly the same Keys config as I have
> in kasp.xml. Only differences are that my ZSK Lifetime
> is P90D and my ZSK Algorithm length is 1024.
>
> The strange thing is that my KSK keys only have 90 days
> until next transition from when they were created, as shown
> with this command (output somewhat edited):
>
> $ ods-enforcer key list -v
> Keys:
> Zone: Keytype: State: Date of next transition: Size: Algorithm:
> xxx.se KSK active 2019-01-03 13:35:10 2048 8
> xxx.se ZSK active 2019-01-03 13:35:10 1024 8
> yyy.se KSK active 2019-01-03 14:38:48 2048 8
> yyy.se ZSK active 2019-01-03 14:38:48 1024 8
Sigh. That is very irritating, yes. That command shows the comparable dates in my case as well.
> Do you see differing next transition dates for KSK and ZSK
> with that command?
Try 'ods-enforcer rollover list'. Starting 2.x reporting of those date has changed in a way that is very irritating, indeed. I have learned to live with it, but I have to admit that the 1.x reporting has been much more intuitive IMHO
> Or should that command not be used in OpenDNSSEC 2.1.3?
Well, it is irritating, at least ;-)
Regards,
Michael
P.S. The mailing list is somehow broken currently. I did only receive your mail to my privat mail address. But https://lists.opendnssec.org/pipermail/opendnssec-user/2018-November/thread.html shown my mails arriving ...
More information about the Opendnssec-user
mailing list