Hi Erik, On 10 Mar 2014, at 11:18 , Erik P. Ostlyngen <[email protected]> wrote:
> I think it would be handy if one could configure OpenDNSSec with KSKs > to have a lifetime of e.g. 1 year and that rollover should be > completely manual. OpenDNSSec would then do nothing when the key > expires, other than logging warning messages, waiting for the operator > to initiate a rollover with a 'ods-ksmutil key rollover' command or > otherwise issue some other command to extend the lifetime of the old > key. As OpenDNSSEC was designed to handle keys automatically I do not see a point with adding the manual steps you are describing and the functionality you want already exists, just set the KSK lifetime to 10 or 100 years and manage the KSK rollover manually. > Btw, is there a way to see how old a key is? This would be useful > in a setting where key rollover is manual. I don’t know if you can see exactly that somewhere but you can see when the next rollover and maybe you can see when the key was created/introduced somewhere and calculate how old it is. -- Jerry Lundström - OpenDNSSEC Developer http://www.opendnssec.org/
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
