<div dir="ltr">I tried to decrease various values set in the kasp.xml file, most notably validity default and denial, publish and retire safety, propagation delay for the zone and the parent zone and TTLs. While that affected the key state is some cases, it did not affect the ZSK in retire state which I want to remove from the zone.<div><br></div><div>I also tried to force deletion of that key with ods-ksmutil key delete but the action was rejected by the enforcerd since it considers the key to be in use.</div><div><br></div><div>I believe it's possible to manually change the value of next transition for that key in the database, but that I really consider last resort.</div><div><br></div><div>Emil</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Jul 22, 2017 at 5:02 PM, Emil Natan <span dir="ltr"><<a href="mailto:shlyoko@gmail.com" target="_blank">shlyoko@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello,<div><br></div><div>opendnssec version 1.4.13, kasp.xml attached.<br></div><div><br></div><div>We have all keys (KSK and ZSK) for the next 5 years pregenerated on the HSM.</div><div><br></div><div><ManualRollover/> is set for the KSK.<br></div><div><br></div><div>Yet yesterday, on the day the KSK rollover was scheduled for, it just happened.</div><div><br></div><div><div>Jul 20 03:47:15 signer001 ods-enforcerd: Zone <a href="http://example.com" target="_blank">example.com</a> found.</div><div>Jul 20 03:47:15 signer001 ods-enforcerd: Policy for <a href="http://example.com" target="_blank">example.com</a> set to 1.</div><div>Jul 20 03:47:15 signer001 ods-enforcerd: Policy 1 found in DB.</div><div>Jul 20 03:47:15 signer001 ods-enforcerd: Config will be output to /ods-data/var/opendnssec/<wbr>signconf/example.com.xml.</div><div>Jul 20 03:47:15 signer001 ods-enforcerd: KSK key allocation for zone <a href="http://example.com" target="_blank">example.com</a>: 1 key(s) allocated</div></div><div><br></div><div>The new KSK was introduced into the zone and DNSKEY signed with both new and old KSK. What makes it even more annoying is that the ZSK was rolled at the same time (as expected), so now we ended having pretty big DNSKEY + RRSIG response.</div><div><br></div><div>One of the checks on the signed zonefiles stopped it from being published and now we have to decide either to publish the zonefile that way or force the ZSK rollover to finish faster than it should if we wait for it to happen automatically and then publish the zonefile. Because of the signature validity set to 31 days, it's scheduled to happen on 2017-08-20. The DNSKEY RRset has a TTL of one hour and we publish the zone every day and it spreads instantly, so it's already safe to do so. I see the ods-ksmutil provides option to retire KSK (ksk-retire), but I do not see such option for ZSK. Any ideas if and how it can be done?</div><div><br></div><div>Thanks</div><span class="HOEnZb"><font color="#888888"><div>Emil</div></font></span></div>
</blockquote></div><br></div>