[Opendnssec-user] Policy rollover fails
Casper Gielen
c.gielen at uvt.nl
Fri Dec 2 09:28:21 UTC 2011
Hello,
I've been doing key rollovers. It works fine for individual zones, but not when rolling entire policies. I am recovering from a major failure so it might be a matter of a confuse database.
Background: I tried to switch a large number of zones to a new policy.
However I purged the old policy and keys before doing the actual rollover. For learning & entertainment purposes I've decided not to restore from backup but to try to get through this (it's not a production environment).
$ ods-ksmutil key rollover --policy uvtonly --keytype ksk
The enforcer is reloaded but other than that nothing is logged.
$ ods-ksmutil key rollover --zone example.nl --keytype ksk
Works fine
root at metagross:~# ods-ksmutil key list -v --zone example.com
Zone: Keytype: State: Date of next transition: CKA_ID: Repository: Keytag:
example.com KSK dsready When required 04840543f5e3ffc7810245c1630f06c4 LocalHSM NOT IN repository
example.com KSK dsready When required aa1442918ebcc61ac17b7e67aefa8a37 LocalHSM NOT IN repository
example.com KSK active 2012-04-26 16:40:01 7a4dd93a1fbc287dab40ab4b50e75ccd LocalHSM NOT IN repository
example.com ZSK active 2011-12-22 16:42:17 bb6af6c8fa3d84ac0a02d3f397c7c0b1 LocalHSM NOT IN repository
example.com ZSK ready next rollover 3ddd5e497198da5eddae217c2dd861fd LocalHSM NOT IN repository
example.com ZSK ready next rollover 9ab2bec08974d8e8f4fbf270278f9ebc LocalHSM NOT IN repository
example.com ZSK ready next rollover 27771ce6d3372a9a08201ded94b3708d LocalHSM NOT IN repository
root at metagross:~# ods-ksmutil key rollover --policy uvtonly --keytype ksk
*WARNING* This will roll all keys on the policy; are you sure? [y/N] y
root at metagross:~# ods-ksmutil key rollover --policy uvtonly
*WARNING* This will roll all keys on the policy; are you sure? [y/N] y
root at metagross:~# ods-ksmutil key list -v --zone example.com
example.com KSK dsready When required 04840543f5e3ffc7810245c1630f06c4 LocalHSM NOT IN repository
example.com KSK dsready When required aa1442918ebcc61ac17b7e67aefa8a37 LocalHSM NOT IN repository
example.com KSK active 2012-04-26 16:40:01 7a4dd93a1fbc287dab40ab4b50e75ccd LocalHSM NOT IN repository
example.com ZSK active 2011-12-22 16:42:17 bb6af6c8fa3d84ac0a02d3f397c7c0b1 LocalHSM NOT IN repository
example.com ZSK ready next rollover 3ddd5e497198da5eddae217c2dd861fd LocalHSM NOT IN repository
example.com ZSK ready next rollover 9ab2bec08974d8e8f4fbf270278f9ebc LocalHSM NOT IN repository
example.com ZSK ready next rollover 27771ce6d3372a9a08201ded94b3708d LocalHSM NOT IN repository
root at metagross:~# ods-ksmutil key rollover --zone example.com --keytype ksk
root at metagross:~# ods-ksmutil key list -v --zone example.com
example.com KSK keypublish 2011-12-02 11:21:13 04840543f5e3ffc7810245c1630f06c4 LocalHSM NOT IN repository
example.com KSK keypublish 2011-12-02 11:21:13 aa1442918ebcc61ac17b7e67aefa8a37 LocalHSM NOT IN repository
example.com KSK active 2011-12-02 10:20:55 7a4dd93a1fbc287dab40ab4b50e75ccd LocalHSM NOT IN repository
example.com ZSK active 2011-12-22 16:42:17 bb6af6c8fa3d84ac0a02d3f397c7c0b1 LocalHSM NOT IN repository
example.com ZSK ready next rollover 3ddd5e497198da5eddae217c2dd861fd LocalHSM NOT IN repository
example.com ZSK ready next rollover 9ab2bec08974d8e8f4fbf270278f9ebc LocalHSM NOT IN repository
example.com ZSK ready next rollover 27771ce6d3372a9a08201ded94b3708d LocalHSM NOT IN repository
With a bit of patience I can get all keys rolled over and back to valid keys.
I wouldn't advise anyone to do this in a production environment, but it is possible
to get out of this situation by using normal ODS commands.
All this just for your information.
--
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981 63B8 2214 083C F80E 4AF7
Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl
More information about the Opendnssec-user
mailing list