12 Úno
2024
12 Úno
'24
8:40
Hi,
the zone re-sign event covers all DNSSEC-related actions (key rollover, RRSIG updates,
NSEC3 updates,...).
I don't think it's important to understand what will happen during the next
re-sign.
ksk-lifetime - A period between KSK generation and the next rollover initiation.
zsk-lifetime - A period between ZSK activation and the next rollover initiation.
in combination with `keymgr ellael.org. list` gives the answer.
However, since version 3.3.5 Knot will log the next key step.
Daniel
On 2/11/24 14:50, Michael Grimm wrote:
Hi,
I am very new to Knot [1].
Excerpts from my knot.conf:
policy:
...
ksk-lifetime: 3650d
zsk-lifetime: 330d
propagation-delay: 1d
...
dns> knotc zone-status ellael.org
[ellael.org.] role: master | serial: 2024021201 | re-sign: +12D8h42m21s
I am a bit puzzled by that "re-sign: +12D8h42m21s".
Does that mean "time until newly issued signatures" and becomes triggered by
default "rrsig-lifetime: 14d" value?
If so, I am very much relieved, if not, what is going on, then?
Here is my question:
How can I find out the dates for upcoming KSK or ZSK rollovers?
This I couldn't find in the documentation, sorry.
Thanks and regards,
Michael
[1]
I've been bitten by that subtle bug in mailing list processing system ;-) My
questions regarding migration strategy has become obsolete in the meantime, because I
managed to migrate successfully. Thanks to the great documentation of Knot I could help
myself ;-)
--