<div dir="ltr">Hi Berry,<div><br></div><div>Thank you very much for your response.</div><div><br></div><div>I do not think it's a matter of preserving signatures. First (and sorry for not bringing up this earlier) the policy in use has refresh interval of zero (<Refresh>PT0S</Refresh>) so all signatures should be generated every time the signer runs. Second, the signatures are always generated and I see the inception and expiration timestamps reflecting on that. Here is how the signature looks when I forced resign today:</div><div><br></div><div><a href="http://example.com">example.com</a>. 86400 IN RRSIG SOA 8 2 86400 20170819061448 20170719051448 51915 <a href="http://example.com">example.com</a>. qj0MmG/W4XzY2TxePRHC7xCcqG2adU00FosgnWIkAFo9MnQkuzn5aXbU2wlcKQ16DhIpnGVmMQ5gMh9hxy....</div><div><br></div><div>Still ZSK with keytag 51915 is used instead of 37063.</div><div><br></div><div>"ods-signer update" helped though. After running it I see the zone signed with ZSK with keytag 37063. I do not know how it is different from restarting the signer which is the first thing I tried yesterday.</div><div><br></div><div>Thank you for you help.</div><div><br></div><div>Emil</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jul 18, 2017 at 7:52 PM, Berry A.W. van Halderen <span dir="ltr"><<a href="mailto:berry@nlnetlabs.nl" target="_blank">berry@nlnetlabs.nl</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 07/18/2017 04:57 PM, Emil Natan wrote:<br>
> opendnssec version 1.4.13.<br>
<br>
Dear Emil,<br>
<br>
>From the output you've given, it looks like you have a policy where the<br>
signatures are valid for a month and the signatures are fresh. Hence<br>
they would be re-used by the signer, since the signatures are still<br>
valid for quite a while, the signer will keep them until they are near<br>
expiration (exact time depending on your policy).<br>
<br>
The "key list" indicates that according to the enforcer, all signatures<br>
are gone by 2017-07-30 23:59, and the ZSK would be dead.<br>
<br>
Slowly you could expect signatures to be disappearing. If you however<br>
believe according to your policy there should be already signatures that<br>
would have gone, it is also possible that your signer was not running<br>
when the enforcer would inform the signer of a new signconf file.<br>
<br>
It this is the case you can issue a "ods-signer update example.com...",<br>
which would have been executed by the enforcer to inform the signer.<br>
<br>
\Berry<br>
<span class=""><br>
> The zonefile is signed with 51915 ZSK when I'm expecting it to be signed<br>
> with 37063 ZSK. The DNSKEY RRset contains all four keys and is correctly<br>
> signed with both KSKs. I force signing with ods-signer sign zone with<br>
> the same result.<br>
><br>
</span>> # ods-ksmutil key list -z <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> <<a href="http://example.com" rel="noreferrer" target="_blank">http://example.com</a>> -v<br>
<span class="">> ...<br>
> Keys:<br>
> Zone: Keytype: State: Date of next<br>
> transition (to): Size: Algorithm: CKA_ID:<br>
> Repository: Keytag:<br>
</span>> <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> <<a href="http://example.com" rel="noreferrer" target="_blank">http://example.com</a>> KSK<br>
<span class="">> active 2017-03-29 15:38:36 (retire) 2048 8<br>
> 379855eb637390420bb659c63e3487<wbr>5a Keyper 31082<br>
</span>> <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> <<a href="http://example.com" rel="noreferrer" target="_blank">http://example.com</a>> ZSK<br>
<span class="">> retire 2017-07-30 23:59:30 (dead) 2048 8<br>
> 898c304545fcf1bbd3b4f4dee01de4<wbr>31 Keyper 51915<br>
</span>> <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> <<a href="http://example.com" rel="noreferrer" target="_blank">http://example.com</a>> KSK<br>
<span class="">> ready waiting for ds-seen (active) 2048 8<br>
> 41cc87e43330a139c10daec84c926a<wbr>f6 Keyper 35999<br>
</span>> <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> <<a href="http://example.com" rel="noreferrer" target="_blank">http://example.com</a>> ZSK<br>
<div><div class="h5">> active 2017-10-30 21:59:30 (retire) 2048 8<br>
> 569cfa7acc4e45518ba9c6bb64660b<wbr>6d Keyper 37063<br>
><br>
> from signconf file for the zone:<br>
><br>
> <Keys><br>
> <TTL>PT3600S</TTL><br>
> <Key><br>
> <Flags>257</Flags><br>
> <Algorithm>8</Algorithm><br>
><br>
> <Locator><wbr>379855eb637390420bb659c63e3487<wbr>5a</Locator><br>
> <KSK /><br>
> <Publish /><br>
> </Key><br>
><br>
> <Key><br>
> <Flags>257</Flags><br>
> <Algorithm>8</Algorithm><br>
><br>
> <Locator><wbr>41cc87e43330a139c10daec84c926a<wbr>f6</Locator><br>
> <KSK /><br>
> <Publish /><br>
> </Key><br>
><br>
> <Key><br>
> <Flags>256</Flags><br>
> <Algorithm>8</Algorithm><br>
><br>
> <Locator><wbr>898c304545fcf1bbd3b4f4dee01de4<wbr>31</Locator><br>
> <Publish /><br>
> </Key><br>
><br>
> <Key><br>
> <Flags>256</Flags><br>
> <Algorithm>8</Algorithm><br>
><br>
> <Locator><wbr>569cfa7acc4e45518ba9c6bb64660b<wbr>6d</Locator><br>
> <ZSK /><br>
> <Publish /><br>
> </Key><br>
><br>
> </Keys><br>
><br>
> This is from the backup2 file which is recent:<br>
> ;;Key: locator 379855eb637390420bb659c63e3487<wbr>5a algorithm 8 flags 257<br>
> publish 1 ksk 1 zsk 0 rfc5011 0<br>
> ;;Key: locator 41cc87e43330a139c10daec84c926a<wbr>f6 algorithm 8 flags 257<br>
> publish 1 ksk 1 zsk 0 rfc5011 0<br>
> ;;Key: locator 898c304545fcf1bbd3b4f4dee01de4<wbr>31 algorithm 8 flags 256<br>
> publish 1 ksk 0 zsk 1 rfc5011 0<br>
> ;;Key: locator 569cfa7acc4e45518ba9c6bb64660b<wbr>6d algorithm 8 flags 256<br>
> publish 1 ksk 0 zsk 0 rfc5011 0<br>
><br>
> And here are the signatures created:<br>
</div></div>> <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> <<a href="http://example.com" rel="noreferrer" target="_blank">http://example.com</a>>. 86400 IN RRSIG SOA 8 2 86400<br>
> 20170818133611 20170718123611 51915 <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> <<a href="http://example.com" rel="noreferrer" target="_blank">http://example.com</a>>.<br>
> IFHFZF7DTgwPATmWw3tLyEAYUdwGMh<wbr>H9BCON4uGr7invMz64NRNLD142Yz..<wbr>.<br>
> <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> <<a href="http://example.com" rel="noreferrer" target="_blank">http://example.com</a>>. 86400 IN RRSIG NS 8 2 86400<br>
> 20170818133611 20170718123611 51915 <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> <<a href="http://example.com" rel="noreferrer" target="_blank">http://example.com</a>>.<br>
<span class="">> K37AntYRr29Ad9H/<wbr>EvlDsjwFHhLLnj4TBq2x93flDa4laM<wbr>hyXdgKAQz0t4SnBp49...<br>
><br>
> Thank you in advance.<br>
> Emil<br>
><br>
><br>
</span>> ______________________________<wbr>_________________<br>
> Opendnssec-user mailing list<br>
> <a href="mailto:Opendnssec-user@lists.opendnssec.org">Opendnssec-user@lists.<wbr>opendnssec.org</a><br>
> <a href="https://lists.opendnssec.org/mailman/listinfo/opendnssec-user" rel="noreferrer" target="_blank">https://lists.opendnssec.org/<wbr>mailman/listinfo/opendnssec-<wbr>user</a><br>
><br>
<br>
______________________________<wbr>_________________<br>
Opendnssec-user mailing list<br>
<a href="mailto:Opendnssec-user@lists.opendnssec.org">Opendnssec-user@lists.<wbr>opendnssec.org</a><br>
<a href="https://lists.opendnssec.org/mailman/listinfo/opendnssec-user" rel="noreferrer" target="_blank">https://lists.opendnssec.org/<wbr>mailman/listinfo/opendnssec-<wbr>user</a><br>
</blockquote></div><br></div>