On 5. Nov 2018, at 21:43, [email protected] wrote: > On Mon, Nov 05, 2018 at 07:44:58PM +0100, Michael Grimm wrote: >> On 5. Nov 2018, at 15:45, [email protected] wrote:
>>> I'm wondering if P10Y is too long to be accepted, and >>> because of that OpenDNSSEC somehow decided to default >>> to the same Lifetime for KSK as for ZSK? >> >> Yes, 10 years should work. I do have the same settings regarding KSK: [snip] > That is almost exactly the same Keys config as I have > in kasp.xml. Only differences are that my ZSK Lifetime > is P90D and my ZSK Algorithm length is 1024. > > The strange thing is that my KSK keys only have 90 days > until next transition from when they were created, as shown > with this command (output somewhat edited): > > $ ods-enforcer key list -v > Keys: > Zone: Keytype: State: Date of next transition: Size: Algorithm: > xxx.se KSK active 2019-01-03 13:35:10 2048 8 > xxx.se ZSK active 2019-01-03 13:35:10 1024 8 > yyy.se KSK active 2019-01-03 14:38:48 2048 8 > yyy.se ZSK active 2019-01-03 14:38:48 1024 8 Sigh. That is very irritating, yes. That command shows the comparable dates in my case as well. > Do you see differing next transition dates for KSK and ZSK > with that command? Try 'ods-enforcer rollover list'. Starting 2.x reporting of those date has changed in a way that is very irritating, indeed. I have learned to live with it, but I have to admit that the 1.x reporting has been much more intuitive IMHO > Or should that command not be used in OpenDNSSEC 2.1.3? Well, it is irritating, at least ;-) Regards, Michael P.S. The mailing list is somehow broken currently. I did only receive your mail to my privat mail address. But https://lists.opendnssec.org/pipermail/opendnssec-user/2018-November/thread.html shown my mails arriving ... _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
