[Opendnssec-user] Rollover strangeness?
Johan Ihren
johani at johani.org
Sun Nov 1 22:59:20 UTC 2009
So I'm playing with the rollover logic. And I just don't understand
what's going on. Now, I agree that rollover logic is not a trivial
topic, and one does easily get confused. But still...
Look at the following excerpt.
This is after having been running for more than 24h with a rather high-
frequency rollover policy (ZSK lifetime=2h, KSK lifetime=1day, one
standby key of each). All the retired keys are fine (I forgot to
decrease the purge time, so they will stay for days). But why are
there no new keys in the "publish" state? Not to mention "ready"?
The situation below just shouldn't happen.
I should also add that I have done multiple emergency rollovers, but
not immediately prior to this. And even if I had, new keys should
immediately be generated and published...which didn't happen.
Johan
PS. I have no idea either why the active ZSK has its next state
transition five years in the future... but that's less important right
now.
Two snapshots in time, 6 min apart:
ns.echo.dnslab:/root#date ; ods-ksmutil key list --verbose
Mon Nov 2 19:23:19 UTC 2009
SQLite database set to: /var/opendnssec/kasp.db
Keys:
Zone: Keytype: State: Date of next
transition: CKA_ID:
Repository: Keytag:
echo.dnslab KSK retire 2009-11-02
18:39:55 eeead057836e1fc4a79391b0e687fb14
softHSM 8274
echo.dnslab ZSK retire 2009-11-09
04:36:37 a7acf3c05e313704ab0cb89e0aa07d1f
softHSM 49280
echo.dnslab ZSK retire 2009-11-09
12:47:28 01e1b614f679910d6b5b56c765ee5f29
softHSM 11162
echo.dnslab ZSK retire 2009-11-09
17:21:17 fa70a45d102f8580abc4f2845172cab7
softHSM 11744
echo.dnslab KSK active 2009-11-03
18:39:55 cf63eb39e37495731b895d9405068791
softHSM 29749
echo.dnslab ZSK retire 2009-11-09
19:44:55 07a1f22794aa8f817796ce6d5be8f89c
softHSM 35300
echo.dnslab ZSK active 2014-12-06
18:39:55 f686e18ee194a92fab89c63b5469ad03
softHSM 57617
ns.echo.dnslab:/root#date ; ods-ksmutil key list --verbose
Mon Nov 2 19:29:33 UTC 2009
SQLite database set to: /var/opendnssec/kasp.db
Keys:
Zone: Keytype: State: Date of next
transition: CKA_ID:
Repository: Keytag:
echo.dnslab KSK retire 2009-11-02
18:39:55 eeead057836e1fc4a79391b0e687fb14
softHSM 8274
echo.dnslab ZSK retire 2009-11-09
04:36:37 a7acf3c05e313704ab0cb89e0aa07d1f
softHSM 49280
echo.dnslab ZSK retire 2009-11-09
12:47:28 01e1b614f679910d6b5b56c765ee5f29
softHSM 11162
echo.dnslab ZSK retire 2009-11-09
17:21:17 fa70a45d102f8580abc4f2845172cab7
softHSM 11744
echo.dnslab KSK active 2009-11-03
18:39:55 cf63eb39e37495731b895d9405068791
softHSM 29749
echo.dnslab ZSK retire 2009-11-09
19:44:55 07a1f22794aa8f817796ce6d5be8f89c
softHSM 35300
echo.dnslab ZSK active 2014-12-06
18:39:55 f686e18ee194a92fab89c63b5469ad03
softHSM 57617
Here's another snapshot, 12h later. This is better, although, as I've
changed to use 2 standby keys for the KSK I still think this is wrong.
Also note that the next transition date for the retired keys have been
bumped faaaaar into the future ;-) What's that all about?
ns.echo.dnslab:/root#date ; ods-ksmutil key list --verbose
Tue Nov 3 07:29:44 UTC 2009
SQLite database set to: /var/opendnssec/kasp.db
Keys:
Zone: Keytype: State: Date of next
transition: CKA_ID:
Repository: Keytag:
echo.dnslab ZSK retire 2035-04-20
04:36:37 a7acf3c05e313704ab0cb89e0aa07d1f
softHSM 49280
echo.dnslab ZSK retire 2035-04-20
12:47:28 01e1b614f679910d6b5b56c765ee5f29
softHSM 11162
echo.dnslab ZSK retire 2035-04-20
17:21:17 fa70a45d102f8580abc4f2845172cab7
softHSM 11744
echo.dnslab ZSK retire 2035-04-20
19:44:55 07a1f22794aa8f817796ce6d5be8f89c
softHSM 35300
echo.dnslab ZSK retire 2035-04-21
08:25:27 f686e18ee194a92fab89c63b5469ad03
softHSM 57617
echo.dnslab KSK active 2035-04-21
07:20:27 630c25f8578229159a6a7a234bb3d7d4
softHSM 14046
echo.dnslab ZSK active 2014-12-07
07:20:27 e82c1a55cc1ac0d18ebdd304da64b17b
softHSM 52160
echo.dnslab KSK ready next
rollover 5da5a8a8c197d8dd9273a482d099fbdd
softHSM 47536
echo.dnslab ZSK ready next
rollover 45774e78a06f94c8b326a3d350f794a6
softHSM 29124
echo.dnslab KSK publish 2009-11-03
09:37:41 ddbcf32b6da9ad06f70b5ddb8da3800b
softHSM 42865
echo.dnslab ZSK publish 2009-11-03
09:32:41 66a59fe70509387f9048fd713e6bd4c3
softHSM 12710
PPS. Feature request: it would be very nice with a presentation format
for "ods-ksmutil key list" that included the keytags but excluded the
CKA_IDs...
More information about the Opendnssec-user
mailing list