Skip to content

ZSK rollover inconformity policy

I set 90d zsk-lifetime for the zone, but this rotation is every 2 hours rotation, I don't know why

[gtld@DNSSEC-KNOT-163 etc]$ /usr/local/knot/sbin/knotc -c knot.conf conf-read zone[abc]
zone.domain = abc.
zone[abc.].template = slave_1024
zone[abc.].file = abc.txt
[gtld@DNSSEC-KNOT-163 etc]$ /usr/local/knot/sbin/knotc -c knot.conf conf-read template[slave_1024].dnssec-policy
template[slave_1024].dnssec-policy = auto_1024
[gtld@DNSSEC-KNOT-163 etc]$ /usr/local/knot/sbin/knotc -c knot.conf conf-read policy[auto_1024]
policy.id = auto_1024
policy[auto_1024].keystore = softhsm
policy[auto_1024].manual = off
policy[auto_1024].algorithm = rsasha256
policy[auto_1024].ksk-size = 2048
policy[auto_1024].zsk-size = 1024
policy[auto_1024].ksk-lifetime = 315360000
policy[auto_1024].zsk-lifetime = 7776000
policy[auto_1024].delete-delay = 17280000
policy[auto_1024].nsec3 = on
policy[auto_1024].nsec3-iterations = 0
policy[auto_1024].nsec3-opt-out = off
policy[auto_1024].nsec3-salt-length = 0
policy[auto_1024].signing-threads = 16
policy[auto_1024].dnskey-management = incremental
[gtld@DNSSEC-KNOT-163 etc]$ grep 'rollover' ../log/knot.log ../log/knot.log.0 ../log/knot.log.1
../log/knot.log:2024-11-29T00:00:18+0800 info: [abc.] DNSSEC, ZSK rollover started
../log/knot.log:2024-11-29T02:00:16+0800 info: [abc.] DNSSEC, ZSK rollover started
../log/knot.log:2024-11-29T04:00:16+0800 info: [abc.] DNSSEC, ZSK rollover started
../log/knot.log:2024-11-29T06:00:16+0800 info: [abc.] DNSSEC, ZSK rollover started
../log/knot.log:2024-11-29T08:00:16+0800 info: [abc.] DNSSEC, ZSK rollover started
../log/knot.log:2024-11-29T10:00:16+0800 info: [abc.] DNSSEC, ZSK rollover started
../log/knot.log.0:2024-11-28T00:00:18+0800 info: [abc.] DNSSEC, ZSK rollover started
../log/knot.log.0:2024-11-28T02:00:16+0800 info: [abc.] DNSSEC, ZSK rollover started
../log/knot.log.0:2024-11-28T04:00:16+0800 info: [abc.] DNSSEC, ZSK rollover started
../log/knot.log.0:2024-11-28T06:00:17+0800 info: [abc.] DNSSEC, ZSK rollover started
../log/knot.log.0:2024-11-28T08:00:16+0800 info: [abc.] DNSSEC, ZSK rollover started
../log/knot.log.0:2024-11-28T10:00:16+0800 info: [abc.] DNSSEC, ZSK rollover started
../log/knot.log.0:2024-11-28T12:00:17+0800 info: [abc.] DNSSEC, ZSK rollover started
../log/knot.log.0:2024-11-28T14:00:16+0800 info: [abc.] DNSSEC, ZSK rollover started
../log/knot.log.0:2024-11-28T16:00:16+0800 info: [abc.] DNSSEC, ZSK rollover started
../log/knot.log.0:2024-11-28T18:00:16+0800 info: [abc.] DNSSEC, ZSK rollover started
../log/knot.log.0:2024-11-28T20:00:16+0800 info: [abc.] DNSSEC, ZSK rollover started
../log/knot.log.0:2024-11-28T22:00:17+0800 info: [abc.] DNSSEC, ZSK rollover started
../log/knot.log.1:2024-11-27T02:00:17+0800 info: [abc.] DNSSEC, ZSK rollover started
../log/knot.log.1:2024-11-27T04:00:16+0800 info: [abc.] DNSSEC, ZSK rollover started
../log/knot.log.1:2024-11-27T06:00:17+0800 info: [abc.] DNSSEC, ZSK rollover started
../log/knot.log.1:2024-11-27T07:16:59+0800 info: [zdnsgtld.com.] DNSSEC, ZSK rollover started
../log/knot.log.1:2024-11-27T08:00:16+0800 info: [abc.] DNSSEC, ZSK rollover started
../log/knot.log.1:2024-11-27T08:17:13+0800 info: [testds.] DNSSEC, ZSK rollover started
../log/knot.log.1:2024-11-27T10:00:16+0800 info: [abc.] DNSSEC, ZSK rollover started
../log/knot.log.1:2024-11-27T12:00:16+0800 info: [abc.] DNSSEC, ZSK rollover started
../log/knot.log.1:2024-11-27T14:00:16+0800 info: [abc.] DNSSEC, ZSK rollover started
../log/knot.log.1:2024-11-27T16:00:17+0800 info: [abc.] DNSSEC, ZSK rollover started
../log/knot.log.1:2024-11-27T18:00:16+0800 info: [abc.] DNSSEC, ZSK rollover started
../log/knot.log.1:2024-11-27T20:00:16+0800 info: [abc.] DNSSEC, ZSK rollover started
../log/knot.log.1:2024-11-27T22:00:16+0800 info: [abc.] DNSSEC, ZSK rollover started
../log/knot.log.92:2024-08-28T22:00:17+0800 info: [abc.] DNSSEC, ZSK rollover started
../log/knot.log.91:2024-08-29T00:00:16+0800 info: [abc.] DNSSEC, ZSK rollover started
../log/knot.log.91:2024-08-29T02:00:16+0800 info: [abc.] DNSSEC, ZSK rollover started
[gtld@DNSSEC-KNOT-163 etc]$ /usr/local/knot/sbin/keymgr -c knot.conf abc list
......
1fb1d5f11614f2a694887ceaf3f8d410fa65d426 61449 ZSK RSASHA256/1024 created=1732788016 publish=1732788016 active=1732795216 retire=1732802416 remove=1732809616
ac214cb8dd65e020883f594b1f89b8d2169b398e 62629 ZSK RSASHA256/1024 created=1732795216 publish=1732795216 active=1732802416 retire=1732809616 remove=1732816816
77abd29e724171dcae0d077e572c7680983adfd3 50604 ZSK RSASHA256/1024 created=1732802416 publish=1732802416 active=1732809616 retire=1732816816 remove=1732824016
8425c4271806ed66ba5b046912ca9d065d0e1a57 15919 ZSK RSASHA256/1024 created=1732809616 publish=1732809616 active=1732816816 retire=1732824016 remove=1732831216
08e0030c14ebc972222c4823487a2c0b470eb1d1 53778 ZSK RSASHA256/1024 created=1732816816 publish=1732816816 active=1732824016 retire=1732831216 remove=1732838416
e99b7604c9d17df750c46803eba5e5bdf9700d2f 62385 ZSK RSASHA256/1024 created=1732824016 publish=1732824016 active=1732831216 retire=1732838416 remove=1732845616
1538ae535f58e0377c0576f37332c5bb3ab24e6e 23884 ZSK RSASHA256/1024 created=1732831216 publish=1732831216 active=1732838416 retire=1732845616 remove=1732852816
609b17df3986744098fe880e6133342a33524186 51441 ZSK RSASHA256/1024 created=1732838416 publish=1732838416 active=1732845616 retire=1732852816
e693322ed880f556b6c11c7ce14f54edd3fb15eb  5409 ZSK RSASHA256/1024 created=1732845616 publish=1732845616 active=1732852816
6e145d2951a961a41596b0fbe4f04d942d51065a 50016 ZSK RSASHA256/1024 created=1732852816 publish=1732852816
Edited by yuchunyun