On Mon, Nov 05, 2018 at 07:44:58PM +0100, Michael Grimm wrote: > On 5. Nov 2018, at 15:45, [email protected] wrote: > > > I'm wondering if P10Y is too long to be accepted, and > > because of that OpenDNSSEC somehow decided to default > > to the same Lifetime for KSK as for ZSK? > > Yes, 10 years should work. I do have the same settings regarding KSK: > > <Keys> > <!-- Parameters for both KSK and ZSK --> > <TTL>PT3600S</TTL> > <RetireSafety>PT3600S</RetireSafety> > <PublishSafety>PT3600S</PublishSafety> > <Purge>P14D</Purge> > > <!-- Parameters for KSK only --> > <KSK> > <Algorithm length="2048">8</Algorithm> > here --> <Lifetime>P10Y</Lifetime> > <Repository>SoftHSM</Repository> > </KSK> > > <!-- Parameters for ZSK only --> > <ZSK> > <Algorithm length="2048">8</Algorithm> > <Lifetime>P120D</Lifetime><!--GRIMM (end)--> > <Repository>SoftHSM</Repository> > </ZSK> > </Keys> > > HTH and regards, > Michael
That is almost exactly the same Keys config as I have in kasp.xml. Only differences are that my ZSK Lifetime is P90D and my ZSK Algorithm length is 1024. The strange thing is that my KSK keys only have 90 days until next transition from when they were created, as shown with this command (output somewhat edited): $ ods-enforcer key list -v Keys: Zone: Keytype: State: Date of next transition: Size: Algorithm: xxx.se KSK active 2019-01-03 13:35:10 2048 8 xxx.se ZSK active 2019-01-03 13:35:10 1024 8 yyy.se KSK active 2019-01-03 14:38:48 2048 8 yyy.se ZSK active 2019-01-03 14:38:48 1024 8 Do you see differing next transition dates for KSK and ZSK with that command? Or should that command not be used in OpenDNSSEC 2.1.3? Thanks! Peter _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
