[Opendnssec-user] Strange behavior trying manual ZSK rollover

Sebastian Castro sebastian at nzrs.net.nz
Fri Oct 15 04:00:20 UTC 2010 

Hi:

On my test environment running OpenDNSSEC from trunk, I have a zone
called "ntp.net.nz".

Logs are indicating the need for ZSK rollover:

Oct 15 13:28:16 srsov-sebastian1 ods-enforcerd: INFO: Manual rollover
due for ZSK of zone ntp.net.nz

You can confirm this using ods-ksmutil

bash-3.2# /usr/local/opendnssec/bin/ods-ksmutil rollover list --zone
ntp.net.nz
SQLite database set to: /var/opendnssec/kasp.db
Rollovers:
Zone:                           Keytype:      Rollover expected:
ntp.net.nz                      KSK           2010-10-16 13:47:19
ntp.net.nz                      ZSK           2010-10-15 12:12:58

Please note the date this is being tested

bash-3.2# date
Fri Oct 15 14:53:52 NZDT 2010

And there are keys ready for the rollover:

bash-3.2# /usr/local/opendnssec/bin/ods-ksmutil key list --zone
ntp.net.nz --verbose
SQLite database set to: /var/opendnssec/kasp.db
Keys:
Zone:                           Keytype:      State:    Date of next
transition:  CKA_ID:                           Repository:
         Keytag:
ntp.net.nz                      KSK           dspublish 2010-10-15
15:14:37       8bf5895bbebf786687ebe2a1580e2c6d  softHSM
           15261
ntp.net.nz                      KSK           active    2010-10-16
13:47:19       f1438c62e7ac88416948bc711cbd2d3c  softHSM
           38055
ntp.net.nz                      ZSK           active    2010-10-15
12:12:58       f188a7cf521a7eaab1706ee2bb9c7939  softHSM
           18197
ntp.net.nz                      ZSK           ready     next rollover
          3d292c1f905c4e790b721aa5b0c6f6f7  softHSM
      22349
ntp.net.nz                      ZSK           ready     next rollover
          6391a52f853b9c04c51145c35261e300  softHSM
      33309

So we execute the rollover

bash-3.2# /usr/local/opendnssec/bin/ods-ksmutil key rollover --zone
ntp.net.nz --keytype zsk
SQLite database set to: /var/opendnssec/kasp.db

And the active key get his 'Date of next transition' updated with the
date when the rollover was executed, but nothing else happens.

bash-3.2# /usr/local/opendnssec/bin/ods-ksmutil key list --zone
ntp.net.nz --verbose
SQLite database set to: /var/opendnssec/kasp.db
Keys:
Zone:                           Keytype:      State:    Date of next
transition:  CKA_ID:                           Repository:
         Keytag:
ntp.net.nz                      KSK           dspublish 2010-10-15
15:14:37       8bf5895bbebf786687ebe2a1580e2c6d  softHSM
           15261
ntp.net.nz                      KSK           active    2010-10-16
13:47:19       f1438c62e7ac88416948bc711cbd2d3c  softHSM
           38055
ntp.net.nz                      ZSK           active    2010-10-15
14:54:37       f188a7cf521a7eaab1706ee2bb9c7939  softHSM
           18197
ntp.net.nz                      ZSK           ready     next rollover
          3d292c1f905c4e790b721aa5b0c6f6f7  softHSM
      22349
ntp.net.nz                      ZSK           ready     next rollover
          6391a52f853b9c04c51145c35261e300  softHSM
      33309

On the next run of the enforcerd, you can see still reminds the rollover
is needed.

Oct 15 15:09:42 srsov-sebastian1 ods-enforcerd: INFO: Manual rollover
due for ZSK of zone ntp.net.nz

Am I missing something? Logs doesn't report any error. I've tried the
rollover three times and the outcome is the same as described above.

May be some inconsistent internal state?

Any suggestion to track this issue will be greatly appreciated.

PS: My apologies for hammering the mailing list today

cheers,
-- 
Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535

More information about the Opendnssec-user mailing list