<div dir="ltr">Hello,<div><br></div><div>I'm testing the KSK rollover process and got into something I fail to understand. For my zone I have one stand-by KSK. Before starting the rollover here is how my keys list looked:</div>
<div><br></div><div><div>ods-ksmutil key list --keytype ksk -v 2> /dev/null</div><div>Keys:</div><div>Zone: Keytype: State: Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag:</div>
<div>tld KSK active 2015-06-07 18:59:50 (retire) 2048 8 a2b2155affee6c67ec546222443bb35c Keyper 62557</div><div>tld KSK dsready When required (keypub) 2048 8 a0ad6883be22eb83506f6eed1ad01ab1 Keyper 58075</div>
</div><div><br></div><div>Then I used "ods-ksmutil key rollover --zone tld --keytype KSK" to start the KSK rollover process. Here is the keys list after that step:</div><div><br></div><div><div>ods-ksmutil key list --keytype ksk -v 2> /dev/null</div>
<div>Keys:</div><div>Zone: Keytype: State: Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag:</div><div>tld KSK publish 2014-05-20 19:18:53 (ready) 2048 8 336a0d8ebb714fe38eff8abc3fcd9c98 Keyper 39757</div>
<div>tld KSK active 2014-05-20 15:13:53 (retire) 2048 8 a2b2155affee6c67ec546222443bb35c Keyper 62557</div><div>tld KSK keypublish 2014-05-20 19:18:53 (active) 2048 8 a0ad6883be22eb83506f6eed1ad01ab1 Keyper 58075</div>
</div><div><br></div><div>Because I'm still testing and try various options, I have restarted the ods-enforcerd process and that introduced additional KSK for that zone:</div><div><br></div><div><div>ods-ksmutil key list --keytype ksk --zone tld -v 2> /dev/null</div>
<div>Keys:</div><div>Zone: Keytype: State: Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag:</div><div>tld KSK keypublish 2014-05-20 19:18:53 (active) 2048 8 a0ad6883be22eb83506f6eed1ad01ab1 Keyper 58075</div>
<div>tld KSK publish 2014-05-20 19:18:53 (ready) 2048 8 336a0d8ebb714fe38eff8abc3fcd9c98 Keyper 39757</div><div>tld KSK active 2014-05-20 15:13:53 (retire) 2048 8 a2b2155affee6c67ec546222443bb35c Keyper 62557</div>
<div>tld KSK dssub waiting for ds-seen (dspub) 2048 8 997358542f04e0f34dcf70d47a5dc22a Keyper 18944</div></div><div><br></div><div>What I do not understand is why the key with Keytag 39757 was introduced for that zone and why with state "publish"? It looks more like a stand-by ZSK which are introduced in "publish" state. When signing the zone 3 KSKs are added to the DNSKEY record (62557, 58075, 39757). When creating the DS record for that zone, hashes for the following 3 keys are created - 62557, 18944, 58075, which actually makes sense. Just for the record, I also have stand-by ZSK set in kasp.xml.</div>
<div><br></div><div>The logfile first says:</div><div><div>May 20 15:26:02 catwoman ods-enforcerd: 1 zone(s) found on policy "TLD"</div><div>May 20 15:26:02 catwoman ods-enforcerd: No new KSKs need to be created.</div>
<div>May 20 15:26:02 catwoman ods-enforcerd: No new ZSKs need to be created.</div><div>May 20 15:26:02 catwoman ods-enforcerd: Purging keys...</div></div><div><br></div><div>and then:</div><div><div>May 20 15:26:02 catwoman ods-enforcerd: zonelist filename set to /usr/local/ods/etc/opendnssec/zonelist.xml.</div>
<div>May 20 15:26:02 catwoman ods-enforcerd: Zone tld found.</div><div>May 20 15:26:02 catwoman ods-enforcerd: Policy for tld set to TLD.</div><div>May 20 15:26:02 catwoman ods-enforcerd: Policy TLD found in DB.</div><div>
May 20 15:26:02 catwoman ods-enforcerd: Config will be output to /usr/local/ods/var/opendnssec/signconf/tld.xml.</div><div>May 20 15:26:02 catwoman ods-enforcerd: KSK key allocation for zone tld: 1 key(s) allocated</div><div>
May 20 15:26:02 catwoman ods-enforcerd: WARNING: KSK rollover for zone 'tld' not completed as there are no keys in the 'ready' state; ods-enforcerd will try again when it runs next</div><div>May 20 15:26:02 catwoman ods-enforcerd: No change to: /usr/local/ods/var/opendnssec/signconf/tld.xml</div>
<div>May 20 15:26:02 catwoman ods-enforcerd: DSChanged</div></div><div>...</div><div><br></div><div><div>ods-ksmutil --version</div><div>opendnssec version 1.4.5</div></div><div><br></div><div>Any ideas what went wrong or what I'm missing?</div>
<div><br></div><div>A comment in the configuration file states that the Stand-by feature is experimental? Does it mean it should not be used in production environments?</div><div><br></div><div>Thanks.</div><div>Emil</div>
</div>