Skip to content

Insane dnssec-policy leads to weird times in state files

Insane policy with a short key lifetime and a long publish safety leads to weird state files:

dnssec-policy tall {
        keys {
                ksk key-directory lifetime P1Y algorithm 13;
                zsk key-directory lifetime PT6H algorithm 13;
        };
        zone-max-ttl 1d;
        publish-safety 1w;
};

this is the predecessor key's state:

; This is the state of key 35225, for sisotowbell.org.
Algorithm: 13
Length: 256
Lifetime: 604800
Successor: 6279
KSK: no
ZSK: yes
Generated: 20200206082447 (Thu Feb  6 00:24:47 2020)
Published: 20200206082447 (Thu Feb  6 00:24:47 2020)
Active: 20200206082447 (Thu Feb  6 00:24:47 2020)
Retired: 20200213082447 (Thu Feb 13 00:24:47 2020)
DNSKEYChange: 20200206082447 (Thu Feb  6 00:24:47 2020)
ZRRSIGChange: 20200206082447 (Thu Feb  6 00:24:47 2020)
DNSKEYState: rumoured
ZRRSIGState: rumoured
GoalState: omnipresent

note that it's active today, and retired a week from now

this is the successor key's state:

; This is the state of key 6279, for sisotowbell.org.
Algorithm: 13
Length: 256
Lifetime: 21600
Predecessor: 35225
KSK: no
ZSK: yes
Generated: 20200206083705 (Thu Feb  6 00:37:05 2020)
Published: 20200206071947 (Wed Feb  5 23:19:47 2020)
Active: 20200213082447 (Thu Feb 13 00:24:47 2020)
Retired: 20200206083713 (Thu Feb  6 00:37:13 2020)
DNSKEYChange: 20200206083713 (Thu Feb  6 00:37:13 2020)
ZRRSIGChange: 20200206083713 (Thu Feb  6 00:37:13 2020)
DNSKEYState: unretentive
ZRRSIGState: unretentive
GoalState: hidden
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information