-
Type:
Bug
-
Status: Resolved
-
Priority:
Minor
-
Resolution: Won't Fix
-
Affects Version/s: OpenDNSSEC 1.4.6
-
Fix Version/s: None
-
Component/s: Enforcer
-
Labels:None
-
Environment:
FreeBSD angst.csh.rit.edu 10.1-BETA3 FreeBSD 10.1-BETA3 #10 r272180: Fri Sep 26 11:17:48 EDT 2014 antiduh@angst.csh.rit.edu:/usr/obj/usr/src/sys/ANGST64 amd64
I had a kasp.conf file that had the KASP/Policy/Signatures/Validity section configured to defaults of P14D for both the default and denial. I ran with this for some time. RRSIG records were signed, eg, I currently have published RRSIG records what expire 14-Oct-2014, since I generated those sigs three days ago.
I then began a key rollover to test it - my initial keys were imported into OpenDNSSEC and weren't generated by it, so I wanted to play around.
Most of that rollover has completed, but I'm currently waiting the 14 days for the ZSK to transition from retired to dead.
After this, I changed the policy file to set the validity to 4d, to make it easier to play around with rollovers. After changing the configuration and reloading it, my current rollover time changed from 14-Oct to 7-Oct, which is four days from today.
The key rollover period should depend only on expiration dates of current signatures made by that key, which ODS knows to be 14-Oct-2014. Instead it reset the rollover to occur based on today + policy period.