<div dir="ltr">Hi Hoda,<div><br></div><div>There are no signatures created/remaining in the signed zone with the retired key and it's completely redundant it's kept in the zonefile for so long.<br></div><div><br></div><div>Unfortunately the proposed fix does not work. It affects the active key, but not the retired key which I want to remove from the DNSKEY RRset.</div><div><br></div><div>#### with original ZSK Lifetime value of 4 months</div><div># ods-ksmutil key list -z <a href="http://example.com">example.com</a> -v<br></div><div><div>Keys:</div><div>Zone: Keytype: State: Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag:</div><div><a href="http://example.com">example.com</a> ZSK retire 2017-08-23 13:50:48 (dead) 2048 8 6b5c0df9591dac52e2fdabbc7cf89b89 Keyper 25365</div><div><a href="http://example.com">example.com</a> KSK active 2018-07-23 11:08:58 (retire) 2048 8 7e664b28619e580963c9fb6e0ee98a96 Keyper 58744</div><div><a href="http://example.com">example.com</a> ZSK active 2017-11-24 13:48:48 (retire) 2048 8 096ace586ef8102d694cac0f58642460 Keyper 19239</div></div><div><br></div><div>### lifetime decreased to 2 months<br></div><div><div>Keys:</div><div>Zone: Keytype: State: Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag:</div><div><a href="http://example.com">example.com</a> ZSK retire 2017-08-23 13:50:48 (dead) 2048 8 6b5c0df9591dac52e2fdabbc7cf89b89 Keyper 25365</div><div><a href="http://example.com">example.com</a> KSK active 2018-07-23 11:08:58 (retire) 2048 8 7e664b28619e580963c9fb6e0ee98a96 Keyper 58744</div><div><a href="http://example.com">example.com</a> ZSK active 2017-09-23 13:48:48 (retire) 2048 8 096ace586ef8102d694cac0f58642460 Keyper 19239</div></div><div><br></div><div>### lifetime decreased to 1 month<br></div><div><div>Keys:</div><div>Zone: Keytype: State: Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag:</div><div><a href="http://example.com">example.com</a> ZSK retire 2017-08-23 13:50:48 (dead) 2048 8 6b5c0df9591dac52e2fdabbc7cf89b89 Keyper 25365</div><div><a href="http://example.com">example.com</a> KSK active 2018-07-23 11:08:58 (retire) 2048 8 7e664b28619e580963c9fb6e0ee98a96 Keyper 58744</div><div><a href="http://example.com">example.com</a> ZSK active 2017-08-23 13:48:48 (retire) 2048 8 096ace586ef8102d694cac0f58642460 Keyper 19239</div></div><div><br></div><div>### lifetime decreased to 10 days<br></div><div><div>Keys:</div><div>Zone: Keytype: State: Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag:</div><div><a href="http://example.com">example.com</a> ZSK retire 2017-08-23 13:50:48 (dead) 2048 8 6b5c0df9591dac52e2fdabbc7cf89b89 Keyper 25365</div><div><a href="http://example.com">example.com</a> KSK active 2018-07-23 11:08:58 (retire) 2048 8 7e664b28619e580963c9fb6e0ee98a96 Keyper 58744</div><div><a href="http://example.com">example.com</a> ZSK active 2017-08-02 13:48:48 (retire) 2048 8 096ace586ef8102d694cac0f58642460 Keyper 19239</div></div><div><br></div><div>Emil</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jul 24, 2017 at 12:52 PM, Hoda Rohani <span dir="ltr"><<a href="mailto:hoda@nlnetlabs.nl" target="_blank">hoda@nlnetlabs.nl</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello Email,<br>
<span class=""><br>
<br>
On 23-07-17 15:24, Emil Natan wrote:<br>
> I tried to decrease various values set in the kasp.xml file, most notably<br>
> validity default and denial, publish and retire safety, propagation delay<br>
> for the zone and the parent zone and TTLs. While that affected the key<br>
> state is some cases, it did not affect the ZSK in retire state which I want<br>
> to remove from the zone.<br>
><br>
<br>
</span>I think reducing the Life time value of ZSK would help you. You should run 'ods-ksmutil policy import' after decreasing<br>
the Life time to see the result.<br>
After the old ZSK is completely removed you can modify the ZSK Lifetime again to have the main value.<br>
<span class=""><br>
<br>
> I also tried to force deletion of that key with ods-ksmutil key delete but<br>
> the action was rejected by the enforcerd since it considers the key to be<br>
> in use.<br>
><br>
<br>
</span>Actually it seems that this key is still being used for signatures and cannot be deleted.<br>
<span class=""><br>
> I believe it's possible to manually change the value of next transition for<br>
> that key in the database, but that I really consider last resort.<br>
><br>
<br>
</span>Please let us know if you still have the problem.<br>
<br>
> Emil<br>
<br>
Regards,<br>
Hoda Rohani<br>
<div><div class="h5"><br>
><br>
> On Sat, Jul 22, 2017 at 5:02 PM, Emil Natan <<a href="mailto:shlyoko@gmail.com">shlyoko@gmail.com</a>> wrote:<br>
><br>
>> Hello,<br>
>><br>
>> opendnssec version 1.4.13, kasp.xml attached.<br>
>><br>
>> We have all keys (KSK and ZSK) for the next 5 years pregenerated on the<br>
>> HSM.<br>
>><br>
>> <ManualRollover/> is set for the KSK.<br>
>><br>
>> Yet yesterday, on the day the KSK rollover was scheduled for, it just<br>
>> happened.<br>
>><br>
>> Jul 20 03:47:15 signer001 ods-enforcerd: Zone <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> found.<br>
>> Jul 20 03:47:15 signer001 ods-enforcerd: Policy for <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> set to 1.<br>
>> Jul 20 03:47:15 signer001 ods-enforcerd: Policy 1 found in DB.<br>
>> Jul 20 03:47:15 signer001 ods-enforcerd: Config will be output to<br>
>> /ods-data/var/opendnssec/<wbr>signconf/example.com.xml.<br>
>> Jul 20 03:47:15 signer001 ods-enforcerd: KSK key allocation for zone<br>
>> <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a>: 1 key(s) allocated<br>
>><br>
>> The new KSK was introduced into the zone and DNSKEY signed with both new<br>
>> and old KSK. What makes it even more annoying is that the ZSK was rolled at<br>
>> the same time (as expected), so now we ended having pretty big DNSKEY +<br>
>> RRSIG response.<br>
>><br>
>> One of the checks on the signed zonefiles stopped it from being published<br>
>> and now we have to decide either to publish the zonefile that way or force<br>
>> the ZSK rollover to finish faster than it should if we wait for it to<br>
>> happen automatically and then publish the zonefile. Because of the<br>
>> signature validity set to 31 days, it's scheduled to happen on 2017-08-20.<br>
>> The DNSKEY RRset has a TTL of one hour and we publish the zone every day<br>
>> and it spreads instantly, so it's already safe to do so. I see the<br>
>> ods-ksmutil provides option to retire KSK (ksk-retire), but I do not see<br>
>> such option for ZSK. Any ideas if and how it can be done?<br>
>><br>
>> Thanks<br>
>> Emil<br>
>><br>
><br>
><br>
><br>
</div></div>> ______________________________<wbr>_________________<br>
> Opendnssec-user mailing list<br>
> <a href="mailto:Opendnssec-user@lists.opendnssec.org">Opendnssec-user@lists.<wbr>opendnssec.org</a><br>
> <a href="https://lists.opendnssec.org/mailman/listinfo/opendnssec-user" rel="noreferrer" target="_blank">https://lists.opendnssec.org/<wbr>mailman/listinfo/opendnssec-<wbr>user</a><br>
><br>
</blockquote></div><br></div>