3 Kvě
2017
3 Kvě
'17
10:09
Hi Dirk,
I agree that it's a little quirk that one cannot easily see the planned
rollover schedule. It will improve slightly in next version of Knot DNS.
One can only compute it by hand:
Last ZSK publish time is 1491504999 (Thu Apr 6 20:56:39 CEST 2017),
thus the next ZSK will be published at 1491504999 + 180*24*3600 (Tue
Oct 3 20:56:39 CEST 2017) and the signatures replacement event will
take place (dnskey_ttl + propagation_delay) afterwards, which is 1h+24h
in your case, if you have zone SOA TTL == 3600. So the answer is October
4th, late evening.
I see no negative effect of importing the keys in your case.
Thanks for your question.
BR,
Libor
Dne 2.5.2017 v 23:23 knot.dirk(a)o.banes.ch napsal(a):
Dear all,
I setup knot to do an automatic rollover of the zsk after 180 days
policy:
- id: policy
keystore: keystore
manual: off
single-type-signing: off
algorithm: rsasha256
ksk-size: 4096
zsk-size: 2048
zsk-lifetime: 180d
propagation-delay: 1d
However I can not see on which date this will be.
root@vserver:~# keymgr zone key list yyy.ch
- 28f58xx 6862
- 79fb61b77xx 63816
root@vserver:~# keymgr zone key list yyy.ch
- 28f58xx 6862
- 79fb61b77xx 63816
root@vserver:~# keymgr zone key show yyy.ch
Name of zone and key have to be specified.
root@vserver:~# keymgr zone key show yyy.ch 28f58xx
id 28f58xx
keytag 6862
algorithm 8
size 4096
flags 257
publish 1491505038
active 1491505038
retire 0
remove 0
root@vserver:~# keymgr zone key show yyy.ch 79fb61b77xx
id 79fb61b77xx
keytag 63816
algorithm 8
size 2048
flags 256
publish 1491504999
active 1491504999
retire 0
remove 0
How do I know it is activated and when it will be ?
I imported the keys - can this be the reason ?
Thank you and
best regards
Dirk
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users