On 5. Nov 2018, at 15:45, [email protected] wrote:
> I'm wondering if P10Y is too long to be accepted, and
> because of that OpenDNSSEC somehow decided to default
> to the same Lifetime for KSK as for ZSK?
Yes, 10 years should work. I do have the same settings regarding KSK:
<Keys>
<!-- Parameters for both KSK and ZSK -->
<TTL>PT3600S</TTL>
<RetireSafety>PT3600S</RetireSafety>
<PublishSafety>PT3600S</PublishSafety>
<Purge>P14D</Purge>
<!-- Parameters for KSK only -->
<KSK>
<Algorithm length="2048">8</Algorithm>
here --> <Lifetime>P10Y</Lifetime>
<Repository>SoftHSM</Repository>
</KSK>
<!-- Parameters for ZSK only -->
<ZSK>
<Algorithm length="2048">8</Algorithm>
<Lifetime>P120D</Lifetime><!--GRIMM (end)-->
<Repository>SoftHSM</Repository>
</ZSK>
</Keys>
HTH and regards,
Michael_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
