On 03/10/2014 09:37 AM, Jerry Lundström wrote: > Hi Erik, > > On 10 mar 2014, at 08:52, "Erik P. Ostlyngen" > <[email protected] <mailto:[email protected]>> > wrote: >> >> I understand. We'll use a 10 years or longer lifetime then. What >> confused me is that OpenDNSSec created a new key and published >> it in my zonefile, waiting for me to complete the rollover by >> issuing a ds-seen command. This looks very similar to the >> automatic KSK rollover (which also stops waiting for me to issue >> a ds-seen command). This makes me wonder what difference the >> ManualRollover tag makes. > > Ah, I see now why you might be confused. > > ManualRollover is the default behavior of KSK, there is no > automatic because that would break your zone. Adding > <ManualRollover> does not change anything for the KSK.
I think it would be handy if one could configure OpenDNSSec with KSKs to have a lifetime of e.g. 1 year and that rollover should be completely manual. OpenDNSSec would then do nothing when the key expires, other than logging warning messages, waiting for the operator to initiate a rollover with a 'ods-ksmutil key rollover' command or otherwise issue some other command to extend the lifetime of the old key. Btw, is there a way to see how old a key is? This would be useful in a setting where key rollover is manual. Erik Østlyngen UNINETT Norid _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
