> However, in spite of short timing-settings, the number of retired ZSK's > is increasing, because their next transition time is always one week > ahead, no matter what I try to shorten this. > > I fiddled around with a number of options, in particular the > RetireSafety setting, but so far without luck. > > What am I missing here?
The time that a key is in the retire state is given by the signature lifetime + the propagation delay + the retire safety margin (and strictly we should add jitter in too). If this doesn't match what you are seeing then if you send me a copy of your kasp.db I can have a look at what is going on. Sion _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
