[Opendnssec-user] Version 1.1.0 and KSK rollover logic

Mathieu Arnold mat at mat.cc
Wed Jul 7 11:04:51 CEST 2010


+--On 6 juillet 2010 17:39:15 +0200 Mathieu Arnold <mat at mat.cc> wrote:
| +--On 6 juillet 2010 17:31:07 +0200 Pierre Lebrech
| <pierre.lebrech at laposte.net> wrote:
|| OK, good idea. But some parent zones holders check to see if the
|| corresponding DNSKEY is present in the child zone before accepting
|| DS records. I have DLV in mind... So in this scenario, DS records can
|| not be submitted.
| 
| Also, RIPE NCC has the same kind of prerequisites for reverse delegations.

Actually, I did remember it was more complicated than that with the RIPE
NCC, so, I send a mail to Marvin, ("he"'s always been very helpful,) and it
needs the submitted DS's key to sign the DNSKEY records in order to be
accepted :

***RDNS:    (related to ns1.absolight.net) ERROR (20 points): The
            following DS RR 42934 7 2
            073F9EB4A076DE4C43187BFF589C3C909DE08F554F54150822AF2CA56E26B21A
            ;

xecof-zylor-gemyl-kalog-sibac-mevyz-zekun-suzun-buluv-bofah-hafeh-gihyb-momep-zirap-hurud-kosyc-pyxyx
            is pointing to 257 3 7 (
            AwEAAaDs/19/GU9xiCnK4d4sEINcSRhVC3AE
            aWG8hX2nGHrDLhdckgArA9hgx8gRvQsl1OSf
            rR6o92g9uriyaSJQ0SXYPZw4B/x3klRZDXsh
            Dg4HVDQwh1qlMywUzfdIu6UvXC0uD1DJ5nmu
            0TeQFm7z9RCNHCbYGKyrNs9cH27NiQwyOXw8
            hDeZ0VY9Qitg+8jWW1B4woTqSFaoIU0RIUxi
            xOJScZZmDT7ZEFOi+UD4hVA/liHSAzqoKRvI
            6qs87L7Dw1uhoUSCl6zNmvfyYbLOjfXYLPqs
            v/oXdmZ6G9F8uy4WERmfGSPwCl6wVcQOV93q
            llMxNp5Zw+WpHjg1x2EbJAU= ) ; Key ID = 42934 (42934) Any key
            that a DS points to should sign the DNSKEY RRset

So, I'm a bit stuck, because the enforcer tells me :

Jul  7 10:56:20 ns1 ods-enforcerd: WARNING: KSK Retirement reached; please
submit the new DS for 242.143.79.in-addr.arpa and use ods-ksmutil key
ksk-roll to roll the key.

Which I can't do, because the DS can't be accepted :-)

Chicken, Egg...

-- 
Mathieu Arnold



More information about the Opendnssec-user mailing list