[Opendnssec-user] Is KSK Lifetime 10Y too long to be accepted in OpenDNSSEC 2.1.3?
list-opendnssec-user at jyborn.se
list-opendnssec-user at jyborn.se
Tue Nov 6 08:52:38 UTC 2018
On Mon, Nov 05, 2018 at 10:19:03PM +0100, Michael Grimm wrote:
> On 5. Nov 2018, at 21:43, list-opendnssec-user at jyborn.se wrote:
> > On Mon, Nov 05, 2018 at 07:44:58PM +0100, Michael Grimm wrote:
> >> On 5. Nov 2018, at 15:45, list-opendnssec-user at jyborn.se wrote:
>
> >>> I'm wondering if P10Y is too long to be accepted, and
> >>> because of that OpenDNSSEC somehow decided to default
> >>> to the same Lifetime for KSK as for ZSK?
> >>
> >> Yes, 10 years should work. I do have the same settings regarding KSK:
>
> [snip]
>
> > $ ods-enforcer key list -v
> > Keys:
> > Zone: Keytype: State: Date of next transition: Size: Algorithm:
> > xxx.se KSK active 2019-01-03 13:35:10 2048 8
> > xxx.se ZSK active 2019-01-03 13:35:10 1024 8
> > yyy.se KSK active 2019-01-03 14:38:48 2048 8
> > yyy.se ZSK active 2019-01-03 14:38:48 1024 8
>
> Sigh. That is very irritating, yes. That command shows the comparable dates in my case as well.
>
> > Do you see differing next transition dates for KSK and ZSK
> > with that command?
>
> Try 'ods-enforcer rollover list'. Starting 2.x reporting of those date has changed in a way that is very irritating, indeed. I have learned to live with it, but I have to admit that the 1.x reporting has been much more intuitive IMHO
Great, ods-enforcer rollover list shows a KSK date ten years
into the future, so now I'm at ease with my configuration.
Thanks!
Peter
More information about the Opendnssec-user
mailing list