That was very helpful and exactly what I wanted to hear. Thank you. Emil
On Thu, Mar 26, 2015 at 12:03 PM, Siôn Lloyd <[email protected]> wrote: > On 25/03/15 10:35, Emil Natan wrote: > > Hi Sion, > > > > Thank you for the reply. That's exactly what I did, but I was more > > concerned what will happen if we forget about the rollover and the > > alerts are missed for some reason. Of course I can give it a bit more > > buffer, but if the rollover is missed at some point I presume the key > > will be marked retired and the DNSKEY not signed in the case if KSK. Is > > that right? > > No, the key will not be retired until there is a suitable replacement > available... The system will nag you but no more. > > This is true for manual rollover set or not; in fact the KSK rollover > already has the manual step of the "ds-seen" command being issued. You > could, in theory, never run this command and the system will continue to > use the old key. > > Sion > > > > > > Emil > > > > On Wed, Mar 25, 2015 at 10:57 AM, Siôn Lloyd <[email protected] > > <mailto:[email protected]>> wrote: > > > > On 24/03/15 17:21, Emil Natan wrote: > > > Hello, > > > > > > I was just wondering what's the meaning of the Lifetime parameter > when > > > used with ManualRollover. I understand that the Lifetime is used > when > > > pregenerating keys for example to calculate the numbers of keys > for a > > > period, but if ManualRollover is set what the enforcer will do when > > > the Lifetime limit is met (more than just send an alert)? I'm > going to > > > test this scenario in test environment, but I'm interested what > other > > > think about it. > > > > > > Thanks. > > > > > > Emil > > > > Hi Emil, > > > > as you suspect the key lifetime is still used for all the same > > calculations and log messages as before; however with ManualRollover > set > > there is a requirement for user intervention to allow the rollover to > > proceed. > > > > If you want to roll keys when you need to and without any warnings > then > > you can set the lifetime to something larger than you would want. > Say I > > want to roll keys on the 1st January every year, I could set the > > lifetime to 13 months so that I will only see log messages if I > forgot > > to initiate the rollover. > > > > Sion > > > > _______________________________________________ > > Opendnssec-user mailing list > > [email protected] > > <mailto:[email protected]> > > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > > > > > > > > > > _______________________________________________ > > Opendnssec-user mailing list > > [email protected] > > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > > > > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user >
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
