On 03/10/2014 08:25 AM, Jerry Lundström wrote: > Hi Erik, > >> My reason for having a 4h key lifetime here is that I wanted to >> observe what OpenDNSSec does at the time of key rollover. The >> question (which was not so clear in my first message) is whether >> the ManualRollover tag prevents OpenDNSSec from initiating an >> automatic rollover when the key expires? That is what I expected, >> but OpenDNSSec seems to roll the key regardless of the >> ManualRollover tag. Maybe the tag has a different purpose than >> what I thought it had? > > From what you said in your previous email everything is working as > it should. It did not roll the KSK but it prepared a new KSK for > you to roll to since you have 4h lifetime. If you don't wish to > have that behavior you need to set a lifetime like 10-100 years.
I understand. We'll use a 10 years or longer lifetime then. What confused me is that OpenDNSSec created a new key and published it in my zonefile, waiting for me to complete the rollover by issuing a ds-seen command. This looks very similar to the automatic KSK rollover (which also stops waiting for me to issue a ds-seen command). This makes me wonder what difference the ManualRollover tag makes. Erik Østlyngen UNINETT Norid _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
