> I make some test with OpenDNSSEC and I have some difficulty to configure > the key rollover. > > There is 4 state for a key (Publish, Ready, Active and retire) > Isn't it possible to configure the duration of each state ? > e.g. : > Publish P5D ->Ready P30D->Active P30D ->Retire P30D->DEAD > > With the actual configuration how do you make for have one key in each > state ? > eg: > KEY1 : Publish >Ready >Active >Retire >DEAD > KEY2 : Publish >Ready >Active >Retire >DEAD > KEY3 : Publish >Ready >Active>Retire >DEAD > ... > > I think it's important to always have a key in Ready state for the > emergency rollover ! > > Thanks for your answer
With the current settings you can configure how long a key is active for (the key lifetime). You also have some influence over the publish and retire times (by the publish and retire safety margins); however, the actual values depend on other parameters, like the TTLs involved etc... In the keys/KSK and keys/ZSK sections of kasp.xml you can set the "Standby" option to 1 or more to have extra keys in the ready state to roll to. Note that the details of the KSK management are currently being changed to offer 3 different rollover schemes, these should appear in v1.1. Sion _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
