-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/10/2014 01:50 PM, Jerry Lundström wrote: > Hi Erik, > > On 10 Mar 2014, at 11:18 , Erik P. Ostlyngen > <[email protected]> wrote: > >> I think it would be handy if one could configure OpenDNSSec >> with KSKs to have a lifetime of e.g. 1 year and that rollover >> should be completely manual. OpenDNSSec would then do nothing >> when the key expires, other than logging warning messages, >> waiting for the operator to initiate a rollover with a >> 'ods-ksmutil key rollover' command or otherwise issue some >> other command to extend the lifetime of the old key. > > As OpenDNSSEC was designed to handle keys automatically I do not > see a point with adding the manual steps you are describing and > the functionality you want already exists, just set the KSK > lifetime to 10 or 100 years and manage the KSK rollover > manually.
This is a good enough solution for me. Thanks for clearing these things up. I'll use a 50 years lifetime. By then I'll be retired. 68 years seems to be the maximum on a 32 bit system. >> Btw, is there a way to see how old a key is? This would be >> useful in a setting where key rollover is manual. > > I don’t know if you can see exactly that somewhere but you can > see when the next rollover and maybe you can see when the key was > created/introduced somewhere and calculate how old it is. I can of course read the expiry date and subtract the key lifetime. Erik Østlyngen UNINETT Norid -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iD8DBQFTHuMCwgUjaQfAj60RAl33AJ4uqZUSwyLbR0wLQNnmp9qVMSsSawCeL1sD 7/HgXdlCCjxCALQaKB7GLtM= =KYbx -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
