Re: Changing ZSK-lifetime in dnssec-policy is not applied

Hi Matthijs Perfect, thank you for this information and clarifying this. Best regards, Tom On 14.02.22 09:59, Matthijs Mekking wrote: Hi Tom, The lifetime is applied to new keys, so when the ZSK is rolled the lifetime of the successor key should be 60 days. I have considered applying it t

Re: Changing ZSK-lifetime in dnssec-policy is not applied

Hi Tom, The lifetime is applied to new keys, so when the ZSK is rolled the lifetime of the successor key should be 60 days. I have considered applying it to existing keys as well (and maybe we will some day), but there are a bunch of corner cases that make it non-trivial, especially when key

Changing ZSK-lifetime in dnssec-policy is not applied

Hi Using BIND-9.16.22 and dnssec-policy: I've migrated an already existing and signing "auto-dnssec"-configured zone to dnssec-policy (same algorithms). That worked without any issues. After a while, I changed the ZSK lifetime from 30d to 60d (see below) in the dnssec-policy: dnssec-policy