[Pdns-users] KSK Key time
Jan-Piet Mens
jpmens.dns at gmail.com
Fri Jun 29 12:54:49 UTC 2012
Steffan,
> When publishing the KSK to the registry it reports that the
> Signature is only valid for 14 days (till 12 Juli 2012)
The KSK itself, being a key, never expires. (It call roll, i.e. you can
replace it whenever you wish - AS LONG AS YOU PUBLISH YOUR DS RECORD AT
THE REGISTRY -, but it doesn't expire; sorry for shouting, but that's
important!)
> Does this mean that I have to make every 14 days a new KSK key ?
> Is there a option to put in a longer period when creating ?
Not at all. What your parent (i.e. your registry) is telling you is that
the RRSIG validity is 14 days only. This isn't typically a problem
because PowerDNS will re-sign the records before that period is reached.
I recommend you read the documentation [1] carefully
-JP
[1]: http://doc.powerdns.com/powerdnssec-auth.html
More information about the Pdns-users
mailing list