[Opendnssec-user] ksk-roll bug or misunderstanding?

Mon Mar 15 08:58:30 UTC 2010

Hi,

I am trying to do a ksk-roll om an imported zone (previously managed
manually), but something seems to go wrong.  Transition process was done
just as defined on the "Using OpenDNSSEC" web page. What I did:

- Import existing zsk/ksk keys into ods. This went well: after importing
and signing with ods, I can publish the zone with NSD.
-  ods automatically creates new keys, and I start a ksk keyroll:
ods-ksm-util key keyroll --zone tomhendrikx.nl --keytype ksk
- I publish the new key upstream (in dlv).

Now I wait until ods says it's time to start the next step. Output of
"ods-ksmutil key list -z tomhendrikx.nl -v | grep KSK" looks like this:

SQLite database set to: /var/lib/opendnssec/kasp.db
tomhendrikx.nl                  KSK           active
�9گT.G�`CG��Xگ�9گ��9�  a2                                softHSM
                   4665
tomhendrikx.nl                  KSK           ready     next rollover
          6e6919ffc1d34ccc8f14c338d7ff843b  softHSM
      47140

The manual is not really clear on which key you need to specify when
running "ods-ksmutil key ksk-roll". First guess: the key you want to
retire (the old key):

# ods-ksmutil key ksk-roll -z tomhendrikx.nl -x 4665
*WARNING* This will retire the currently active KSK; are you sure? [y/N] y
SQLite database set to: /var/lib/opendnssec/kasp.db
No keys in the READY state matched your parameters, please check the
parameters

Ok, my guess was wrong. So now I try to specify the *new* key:

# ods-ksmutil key ksk-roll -z tomhendrikx.nl -x 47140
*WARNING* This will retire the currently active KSK; are you sure? [y/N] y
SQLite database set to: /var/lib/opendnssec/kasp.db
Found key with CKA_ID 6e6919ffc1d34ccc8f14c338d7ff843b
Key 6e6919ffc1d34ccc8f14c338d7ff843b made active, old key retired

This looks good, but after reviewing current key state, it seems that
the wrong key is retired:

meredith-admin tomhendr # ods-ksmutil key list -z tomhendrikx.nl -v |
grep KSK
SQLite database set to: /var/lib/opendnssec/kasp.db
Keys:
Zone:                           Keytype:      State:    Date of next
transition:  CKA_ID:                           Repository:
         Keytag:
tomhendrikx.nl                  KSK           active
�9گT.G�`CG��Xگ�9گ��9�  a2                                softHSM
                   4665
tomhendrikx.nl                  KSK           retire    2010-03-15
14:00:10       6e6919ffc1d34ccc8f14c338d7ff843b  softHSM
           47140

The only issue I see is that the date output is munged, which is
probably due to the fact that I used an invalid date format when
importing. But this was no issue for the zsk, which rolled as expected.

I tried above scenario twice, both times this resulted in keeping the
old key (id 4665), and retiring the new key (id 47140). Am I doing
something wrong, or is this a bug? (all of the above with 1.0.0 release
version, using softHSM and sqlite3).

--
Regards,
	Tom