On Mon, Nov 05, 2018 at 10:19:03PM +0100, Michael Grimm wrote: > On 5. Nov 2018, at 21:43, [email protected] wrote: > > On Mon, Nov 05, 2018 at 07:44:58PM +0100, Michael Grimm wrote: > >> On 5. Nov 2018, at 15:45, [email protected] wrote: > > >>> I'm wondering if P10Y is too long to be accepted, and > >>> because of that OpenDNSSEC somehow decided to default > >>> to the same Lifetime for KSK as for ZSK? > >> > >> Yes, 10 years should work. I do have the same settings regarding KSK: > > [snip] > > > $ ods-enforcer key list -v > > Keys: > > Zone: Keytype: State: Date of next transition: Size: Algorithm: > > xxx.se KSK active 2019-01-03 13:35:10 2048 8 > > xxx.se ZSK active 2019-01-03 13:35:10 1024 8 > > yyy.se KSK active 2019-01-03 14:38:48 2048 8 > > yyy.se ZSK active 2019-01-03 14:38:48 1024 8 > > Sigh. That is very irritating, yes. That command shows the comparable dates > in my case as well. > > > Do you see differing next transition dates for KSK and ZSK > > with that command? > > Try 'ods-enforcer rollover list'. Starting 2.x reporting of those date has > changed in a way that is very irritating, indeed. I have learned to live with > it, but I have to admit that the 1.x reporting has been much more intuitive > IMHO
Great, ods-enforcer rollover list shows a KSK date ten years into the future, so now I'm at ease with my configuration. Thanks! Peter _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
