> How can shorten the time of keystate generate to publish it's now 1 day .
You can lower <MaxZoneTTL> in the KASP. Default it is 1 day. The pace of ZSK rollovers is mostly dictated by the TTL of the records, but the enforcer component does not access the actual zone data. MaxZoneTTL is used to indicate the longest TTL in your zone and prevents rollovers happen to quickly. The signer by the way uses this value to cap TTLs in the zone. So setting this value lower does not break your zone DNSSEC wise. ODS 2.0 is more conservative than 1.4 in publishing the DNSKEY in a newly added zone. This is the result of 2.0 being more flexible WRT rollovers (i.e. support algorithm rollover). Regards, Yuri
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
