[Opendnssec-user] Version 1.1.0 and KSK rollover logic

Lens Frederic Frederic.Lens at champ.aero
Wed Jun 2 06:59:31 UTC 2010


Hi all,
I'm new to DNSSEC but I seem to be having the same kind of problem as Antti (if not, sorry, should have started another topic)

Basically, I'm starting from scratch. New zone, new SoftHSM token, new database initiated with ods-ksmutil setup.
Zone gets signed on the first run, no problem (timestamp : Jun  1 11:15)
At the next run, I get following Warning :
	Jun  1 12:15:40 localhost ods-enforcerd: WARNING: key rollover not completed as there are no keys in the 'ready' state; ods-enforcerd will try again when it runs next
Same message is repeated 12 times until Jun  2 01:15, where I get :
	Jun  2 01:15:43 localhost ods-enforcerd: INFO: New DS records needed for the zone test.champ.aero; details will follow
	Jun  2 01:15:43 localhost ods-enforcerd: WARNING: KSK Retirement reached; please submit the new DS for test.champ.aero and use ods-ksmutil key ksk-roll to roll the key.
	Jun  2 01:15:43 localhost ods-enforcerd: No change to: /var/opendnssec/signconf/test.champ.aero.xml
	Jun  2 01:15:43 localhost ods-enforcerd: DSChanged
	Jun  2 01:15:43 localhost ods-enforcerd: DS Record set has changed, the current set looks like:
	Jun  2 01:15:43 localhost ods-enforcerd: test.champ.aero.#0113600#011IN#011DNSKEY#011257 3 7 AwEAAcZhUaxnhrd7i4s1Krl48dJortTSkDfUKPsDBNdAX4u+jLO8z7CwVhCH3dGbS9UVffWzw08h4VXYpCe3UDWdgyYcW2zqM8ob2xxK6C1pstWPRnbROaeYRJv4PWLRQCSiQZEGp14fg2uRHCpiN2+yov1xqjkTAWl+MoixhlY9M0jpA+gf/Y5nCHXYycDMnTioyu+nqqJ9hqQtFpiYuVY70oplxzOMLN7jNwU/p41eH8Twl2kSrv80z9ZFkZea9gUaFkzWHSdwfXxcrdogKHFV01pW+JJ7/SWjHIB8XZGhgy0neATkCu/07C5+e9cGeS1Rzgqi53ciwMvQP22rPDvs95k= ;{id = 57264 (ksk), size = 2048b}
	Jun  2 01:15:43 localhost ods-enforcerd: test.champ.aero.#0113600#011IN#011DNSKEY#011257 3 7 AwEAAcAGau1cCGRun9jbi1Ez56ruMsomaovUmOVho35nCqom5E3esX20qGc1juHPYuA+pjKgisV7nmcjRYJMM+BYaCPWJzc63EyD7yX99CCVkvWStX+U35sXflOKi1zz+wz63GvhO3cDMFLcK5BYp01oo9FkLmkB2dSzgCaYYw8yee8+c6+9wyQwwcDtcY9qz6Skju83Maze5so7QKTIL3S2dzPovv90uK6tDoe3iJKSICdB17wSyd1JiWCETYfheEWgUIrUV+9RBDMC8DByJeFI4cPkYe3LgMlYT4Skk9mx9iYhSnBq5Fz73RzitvcIGBuK5qK0+60AbrvL7ecgKB8R308= ;{id = 29059 (ksk), size = 2048b}
	Jun  2 01:15:43 localhost ods-enforcerd: Once the new DS records are seen in DNS please issue the ds-seen command for zone test.champ.aero with the following cka_ids, cfda403548f5bb57415cf9c023a7897f, 3e6a3440db759e87dc89823e03285c7a

Then comes the good old warning :
	Jun  2 02:15:43 localhost ods-enforcerd: WARNING: KSK Retirement reached; please submit the new DS for test.champ.aero and use ods-ksmutil key ksk-roll to roll the key.
... until the end of the log file (that I attached for completeness)

At this point I have following keys :

# ods-ksmutil key list -v
SQLite database set to: /var/opendnssec/kasp.db
Keys:
Zone:                           Keytype:      State:    Date of next transition:  CKA_ID:                           Repository:                       Keytag:
test.champ.aero                 KSK           ready     waiting for ds-seen       cfda403548f5bb57415cf9c023a7897f  SoftHSM                           57264
test.champ.aero                 KSK           dssub     waiting for ds-seen       3e6a3440db759e87dc89823e03285c7a  SoftHSM                           29059
test.champ.aero                 ZSK           active    2010-07-01 11:15:39       14f39590a565fc8ffcc2b7909866c838  SoftHSM                           34263
test.champ.aero                 ZSK           ready     next rollover             523e6e8d309b252f993eaa8957bd5bfd  SoftHSM                           28694

According to the logs, I should perform : 
	Ods-ksmutil key ds-seen -z test.champ.aero --cka_id cfda403548f5bb57415cf9c023a7897f
	Ods-ksmutil key ds-seen -z test.champ.aero --cka_id 3e6a3440db759e87dc89823e03285c7a  

If I do it, here is what I get :

# ods-ksmutil key ds-seen -z test.champ.aero --cka_id cfda403548f5bb57415cf9c023a7897f
SQLite database set to: /var/opendnssec/kasp.db
Found key with CKA_ID cfda403548f5bb57415cf9c023a7897f
Key cfda403548f5bb57415cf9c023a7897f made active
Error: retiring a key would leave no active keys on zone, skipping...

# ods-ksmutil key ds-seen -z test.champ.aero --cka_id 3e6a3440db759e87dc89823e03285c7a
SQLite database set to: /var/opendnssec/kasp.db
Found key with CKA_ID 3e6a3440db759e87dc89823e03285c7a
Key 3e6a3440db759e87dc89823e03285c7a made into standby

# ods-ksmutil key list -v
SQLite database set to: /var/opendnssec/kasp.db
Keys:
Zone:                           Keytype:      State:    Date of next transition:  CKA_ID:                           Repository:                       Keytag:
test.champ.aero                 KSK           active    2011-06-02 10:51:31       cfda403548f5bb57415cf9c023a7897f  SoftHSM                           57264
test.champ.aero                 KSK           dspublish 2010-06-02 15:38:57       3e6a3440db759e87dc89823e03285c7a  SoftHSM                           29059
test.champ.aero                 ZSK           active    2010-07-01 11:15:39       14f39590a565fc8ffcc2b7909866c838  SoftHSM                           34263
test.champ.aero                 ZSK           ready     next rollover             523e6e8d309b252f993eaa8957bd5bfd  SoftHSM                           28694

Notice the KSK in dspublish state with next transition : 2010-06-02 ... That's weird ! Shouldn’t it be "next rollover" instead ?
Or do I do something wrong here / miss an important point ?
Besides, I only have one key published in the zone, which is the active KSK.

Thanks for the help !
Fred


-----Original Message-----
From: opendnssec-user-bounces at lists.opendnssec.org [mailto:opendnssec-user-bounces at lists.opendnssec.org] On Behalf Of Sion Lloyd
Sent: 01 June 2010 13:25
To: opendnssec-user at lists.opendnssec.org; aristima at csc.fi
Subject: Re: [Opendnssec-user] Version 1.1.0 and KSK rollover logic

On Monday 31 May 2010 11:40:49 am Antti Ristimäki wrote:
> Hi,
> 
> On Fri, 2010-05-28 at 13:02 +0300, Antti Ristimäki wrote:
> > On Fri, 2010-05-28 at 11:34 +0300, Sion Lloyd wrote
> > 
> > > We have 2 situations to consider, "emergency" rollover and scheduled
> > > rollover.
> > > 
> > > The standby key is not used for scheduled rollover, a new key will be
> > > pre- published for that.
> > > 
> > > The standby key will come into use if a rollover command is issued
> > > out-of- sequence. The thinking here is that the submission of the DS
> > > to the parent is likely to be the slower step in the process, so we
> > > can get this out of the way early on before we need to act fast.
> > 
> > OK, this is probably a good idea. But is the scheduled rollover now
> > meant to be initiated only automatically or how does ods-enforcer
> > differentiate a scheduled rollover from an emergency one, if they are
> > both initiated with the same "ods-ksmutil key rollover..." command?

The idea is that you do not need to issue the "key rollover" command for a 
scheduled rollover, only the ds-seen. I see where the confusion comes in 
though, I'll look at making our documentation clearer.

> > In my case, "ods-ksmutil key rollover -z <zone> --keytype KSK" seems to
> > introduce a new KSK in the DNSKEY RRset rather than using the standby
> > KSK. However, this may be due to the fact that my standby KSK is still
> > in "dspublish" state...I guess the standby KSK will enter "dsready" or
> > similar after the standby DS has propagated to caches?
> 
> It seems that if your standby KSK is in "DSREADY" state and you type
> "ods-ksmutil key rollover -z <zone> --keytype KSK", OpenDNSSEC starts
> signing the DNSKEY RRset with the standby KSK, in addition to the active
> KSK, as expected. However, the standby KSK doesn't appear in the DNSKEY
> RRset immediately, which I find weird. That is, the DNSKEY RRset is
> signed with a KSK that is not even present in the zone DNSKEY RRset!?

That does sound odd, can you send me (off list) the signconf that was used at 
this time, if you still have it?

> With regards to my previous mail, it would be very nice indeed to be
> able to trigger the "normal" (i.e. non-emergency) rollover manually, for
> example for testing purposes etc. Now it doesn't seem to be possible.

I can add this to the requirements. If I understand, you would like to shorten 
the lifespan of the currently active key such that a "scheduled" rollover 
begins immediately. I.e. a new key is pre-published.

Sion
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5113 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20100602/a9e0061e/attachment.bin>


More information about the Opendnssec-user mailing list