[Opendnssec-user] Is KSK Lifetime 10Y too long to be accepted in OpenDNSSEC 2.1.3?

[Michael Grimm]

On 11/6/18 9:52 AM, list-opendnssec-user at jyborn.se wrote:

[snip]

>>> $ ods-enforcer key list -v
>>> Keys:
>>> Zone:   Keytype: State:  Date of next transition: Size: Algorithm:
>>> xxx.se  KSK      active  2019-01-03 13:35:10      2048  8
>>> xxx.se  ZSK      active  2019-01-03 13:35:10      1024  8
>>> yyy.se  KSK      active  2019-01-03 14:38:48      2048  8
>>> yyy.se  ZSK      active  2019-01-03 14:38:48      1024  8
>> 
>> Sigh. That is very irritating, yes. That command shows the comparable dates in my case as well. 


> The confusion comes from the term "date of next transition", which isn't the next transition of the 
> key (state), but of the entire key set. OpenDNSSEC will determin the earliest time there could be a 
> change, and plans to inspect and possibly change the keys at that time. So it is the entire key set, 
> and it is the time it will try to make a change, not necessarily make a visible change. 

Yes, that phrase "date of next transition" irritated me as well after my migration from 1.4 to 2.x some time ago.

I am not a native English speaker, thus I may be mistaken, but to my understanding a "transition" stands for a process in going from "A" to "B", and not for going eventually from "A" to "A".

Suggestion: Change "date of next transition" to "date of next re-evaluation"?

Regards,
Michael

P.S. FYI to the mailing list admin: Your delivering mailserver's IPs lack a reverse hostname PTR entry. 
     This must have happened yesterday afternoon. That's the reason why I couldn't receive your mails 
     any longer. I needed to whitelist now ...