On 19.02.2010 14:52, [email protected] wrote:
I make some test with OpenDNSSEC and I have some difficulty to configure
the key rollover.
There is 4 state for a key (Publish, Ready, Active and retire)
Isn't it possible to configure the duration of each state ?
e.g. :
Publish P5D ->Ready P30D->Active P30D ->Retire P30D->DEAD
With the actual configuration how do you make for have one key in each
state ?
eg:
KEY1 : Publish>Ready>Active>Retire>DEAD
KEY2 : Publish>Ready>Active>Retire>DEAD
KEY3 : Publish>Ready>Active>Retire
DEAD
...
I think it's important to always have a key in Ready state for the
emergency rollover !
Thanks for your answer
With the current settings you can configure how long a key is active for
(the key lifetime). You also have some influence over the publish and
retire times (by the publish and retire safety margins); however, the
actual values depend on other parameters, like the TTLs involved etc...
In the keys/KSK and keys/ZSK sections of kasp.xml you can set the "Standby"
option to 1 or more to have extra keys in the ready state to roll to.
Note that the details of the KSK management are currently being changed to
offer 3 different rollover schemes, these should appear in v1.1.
Sion
Thanks for your answer !
I have play with the kasp.conf file and the option TTL, etc
It's mor clear for me now, thanks.
But I think there in a problème with the Standby option.
If I put KSK Stanbby = 5 et ZSK standby = 0, I have 6 KSK and 6 ZSK (1
Active + 5 publish)
If I put KSK Stanbby = 0 et ZSK standby = 5, I have 1 KSK and 6 ZSK (1
Active + 0 publish)
I think Standby parameter of KSK is keep for ZSK.
Say me if I have wrong.
--
Stéphane Diacquenod
Apprenti Ingénieur
CITIC74
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
