[Opendnssec-user] Is KSK Lifetime 10Y too long to be accepted in OpenDNSSEC 2.1.3?
Havard Eidnes
he at uninett.no
Mon Nov 5 22:48:30 UTC 2018
>> That is almost exactly the same Keys config as I have
>> in kasp.xml. Only differences are that my ZSK Lifetime
>> is P90D and my ZSK Algorithm length is 1024.
>>
>> The strange thing is that my KSK keys only have 90 days
>> until next transition from when they were created, as shown
>> with this command (output somewhat edited):
>>
>> $ ods-enforcer key list -v
>> Keys:
>> Zone: Keytype: State: Date of next transition: Size: Algorithm:
>> xxx.se KSK active 2019-01-03 13:35:10 2048 8
>> xxx.se ZSK active 2019-01-03 13:35:10 1024 8
>> yyy.se KSK active 2019-01-03 14:38:48 2048 8
>> yyy.se ZSK active 2019-01-03 14:38:48 1024 8
>
> Sigh. That is very irritating, yes. That command shows the
> comparable dates in my case as well.
Wow! That's just Wrong.
Anyone care to defend this behaviour?
Regards,
- Håvard
More information about the Opendnssec-user
mailing list