On 2010-07-07 09:07, Sion Lloyd wrote: >> However, in spite of short timing-settings, the number of retired ZSK's >> is increasing, because their next transition time is always one week >> ahead, no matter what I try to shorten this. >> >> I fiddled around with a number of options, in particular the >> RetireSafety setting, but so far without luck. >> >> What am I missing here? > > The time that a key is in the retire state is given by the signature lifetime > + the propagation delay + the retire safety margin (and strictly we should > add > jitter in too).
Yep, that was it; signature lifetime was still at P7D. Thank you! It might be interesting to extend ods-ksmutil with an option that draws a kind of timeline similar to: http://trac.opendnssec.org/attachment/wiki/Signer/Using/Configuration/kasp/signature-lifetime.png Only then with the actual configured values included. Regards, -- Marco _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
