[Pdns-users] KSK Key time

Florian Obser florian at narrans.de
Fri Jun 29 11:54:08 UTC 2012


On 06/29/2012 01:48 PM, Steffan Noord wrote:
> Hello list,
> Im new to powerdns
> start using it to roll over to DNSSEC
> I signed a test domain with the command
> pdnssec secure-zone domain
> When publishing the KSK to the registry it reports that the
> Signature is only valid for 14 days (till 12 Juli 2012)

4.2. Signatures

In PowerDNS live signing mode, signatures, as served through RRSIG
records, are calculated on the fly, and heavily cached. All CPU cores
are used for the calculation.

RRSIGs have a validity period, in PowerDNS by default this period starts
at most a week in the past, and continues at least a week into the future.

Precisely speaking, the time period used is always from the start of the
previous Thursday until the Thursday two weeks later. This two-week
interval jumps with one-week increments every Thursday.

Why Thursday? POSIX-based operating systems count the time since GMT
midnight January 1st of 1970, which was a Thursday. PowerDNS
inception/expiration times are generated based on an integral number of
weeks having passed since the start of the 'epoch'.

~ http://doc.powerdns.com/powerdnssec.html

> Does this mean that I have to make every 14 days a new KSK key ?


> Is there a option to put in a longer period when creating ?
> Thanxs Steffan


More information about the Pdns-users mailing list