[Opendnssec-user] Is KSK Lifetime 10Y too long to be accepted in OpenDNSSEC 2.1.3?

[list-opendnssec-user at jyborn.se]

On Mon, Nov 05, 2018 at 10:19:03PM +0100, Michael Grimm wrote:
> On 5. Nov 2018, at 21:43, list-opendnssec-user at jyborn.se wrote:
> > On Mon, Nov 05, 2018 at 07:44:58PM +0100, Michael Grimm wrote:
> >> On 5. Nov 2018, at 15:45, list-opendnssec-user at jyborn.se wrote:
> 
> >>> I'm wondering if P10Y is too long to be accepted, and
> >>> because of that OpenDNSSEC somehow decided to default
> >>> to the same Lifetime for KSK as for ZSK?
> >> 
> >> Yes, 10 years should work. I do have the same settings regarding KSK:
> 
> [snip]
> 
> > $ ods-enforcer key list -v
> > Keys:
> > Zone:   Keytype: State:  Date of next transition: Size: Algorithm:
> > xxx.se  KSK      active  2019-01-03 13:35:10      2048  8
> > xxx.se  ZSK      active  2019-01-03 13:35:10      1024  8
> > yyy.se  KSK      active  2019-01-03 14:38:48      2048  8
> > yyy.se  ZSK      active  2019-01-03 14:38:48      1024  8
> 
> Sigh. That is very irritating, yes. That command shows the comparable dates in my case as well. 
> 
> > Do you see differing next transition dates for KSK and ZSK
> > with that command?
> 
> Try 'ods-enforcer rollover list'. Starting 2.x reporting of those date has changed in a way that is very irritating, indeed. I have learned to live with it, but I have to admit that the 1.x reporting has been much more intuitive IMHO

Great, ods-enforcer rollover list shows a KSK date ten years
into the future, so now I'm at ease with my configuration.

Thanks!

Peter