[Pdns-users] KSK Key time

Jan-Piet Mens jpmens.dns at gmail.com
Fri Jun 29 12:54:49 UTC 2012


> When publishing the KSK to the registry it reports that the
> Signature is only valid for 14 days (till 12 Juli 2012)

The KSK itself, being a key, never expires. (It call roll, i.e. you can
replace it whenever you wish - AS LONG AS YOU PUBLISH YOUR DS RECORD AT
THE REGISTRY -, but it doesn't expire; sorry for shouting, but that's

> Does this mean that I have to make every 14 days a new KSK key ?
> Is there a option to put in a longer period when creating ?

Not at all. What your parent (i.e. your registry) is telling you is that
the RRSIG validity is 14 days only. This isn't typically a problem
because PowerDNS will re-sign the records before that period is reached. 

I recommend you read the documentation [1] carefully


[1]: http://doc.powerdns.com/powerdnssec-auth.html

More information about the Pdns-users mailing list