Hi Jean-Piet,
this is exactly how it is designed to operate.
Feel encouraged to continue this way :)
You can also trigger KSK roll-overs with knotc zone-key-rollover
command. In that case, it would proceed with automatic KSK roll-over,
including DS submission etc.
Libor
Dne 12. 05. 22 v 15:42 Jan-Piet Mens napsal(a):
Hello,
I'd like to be able to do automatic ZSK and manual KSK rollovers.
Basically the
KSK should have an endless validity but I might want to roll it with
(manually-trigerred) RFC 5011 semantics.
It it permissible to have a policy such as shown below and then
explicitly
use `keymgr' commands to generate new keys and set `revoke', `retire' and
`remove' timers on the older key?
Testing indicates that it works as desired, I'm just unsure whether key
manipulation is permitted.
policy:
- id: autoHSM
keystore: pemstore
single-type-signing: off
manual: off
ksk-shared: off
ksk-lifetime: 0
zsk-lifetime: 30d
cds-cdnskey-publish: rollover
Thank you,
-JP
--
--
