[Opendnssec-user] What should happen when you change the policy for a zone

Sebastian Castro sebastian at nzrs.net.nz
Sun Jan 30 22:29:29 UTC 2011 

On 01/28/2011 12:29 AM, Sion Lloyd wrote:
> On Wednesday 26 Jan 2011 10:16:39 AM Rickard Bellgrim wrote:
>> On 19 jan 2011, at 23.28, Sebastian Castro wrote:
>>> Back to the original subject: This test should work or not? Is
>>> OpenDNSSEC prepared for a policy change for a zone?
>>
>> It should work.
>>
>> Sion, could you have a look on this?
> 
> Sorry it took me a while to get time to look at this. It should work... Could 
> you send me your kasp.db (off-list) and I'll see what is going on.
> 
> I suspect that it is stopping the roll because there are no ready keys on the 
> new policy, but not promoting any keys because there is a ready key on the 
> zone... In other words it might be a consequence of the state of keys on the 
> zone at the time that you changed the policy.
> 

Chronology of the event:

- Zone was changed from policy on Jan 12, 11:34
- Key status for each zone is collected once each hour, so I have the
status as reported by 'ods-ksmutil key list' at 11:20 and 12:20


On Wed Jan 12 11:20:01 2011

example.com     KSK           active    2011-01-16 11:12:52
04107d196a2752478fd6cb9b7de6e392  softHSM                     31479
example.com     ZSK           retire    2011-01-14 19:31:43
616829e136fdf60c0e0b321e051ec430  softHSM                     58635
example.com     ZSK           retire    2011-01-16 19:38:22
edcb15c6d241687e1b0b7c0876ebb7b0  softHSM                     10022
example.com     KSK           ready     waiting for ds-seen
7f125554c235727fa9596f308016f792  softHSM                      3183
example.com     KSK           dssub     waiting for ds-seen
d7ed463e105b9e285999a1b55a367a5a  softHSM                     27145
example.com     ZSK           active    2011-01-13 17:28:22
3766125b6eb6b55a181ee10091b2e2a2  softHSM                     20670

On Wed Jan 12 12:20:01 2011

example.com     KSK           active    2011-01-16 11:12:52
04107d196a2752478fd6cb9b7de6e392  softHSM                     31479
example.com     ZSK           retire    2011-01-13 18:29:22
edcb15c6d241687e1b0b7c0876ebb7b0  softHSM                     10022
example.com     KSK           ready     waiting for ds-seen
7f125554c235727fa9596f308016f792  softHSM                      3183
example.com     KSK           dssub     waiting for ds-seen
d7ed463e105b9e285999a1b55a367a5a  softHSM                     27145
example.com     ZSK           active    2011-01-13 17:28:22
3766125b6eb6b55a181ee10091b2e2a2  softHSM                     20670

On Thu Jan 13 17:20:02 2011 a new ZSK (keytag 17879) was published and
became ready one hour later (following policy).

The current status looks like this:

example.com     KSK           keypublish 2011-01-31 11:14:52
   d7ed463e105b9e285999a1b55a367a5a  softHSM                  27145
example.com     ZSK           active    2011-01-13 17:28:22
  3766125b6eb6b55a181ee10091b2e2a2  softHSM                   20670
example.com     ZSK           ready     next rollover
  97f9f36690dd2d5e7667c99770557e24  softHSM                   17879
example.com     KSK           active    2011-01-29 15:33:27
6fe16f5d8cffc89643478ea70a1534d5  softHSM                      8745
example.com     KSK           publish   2011-01-31 11:14:52
14974a8cd4b7f252325353e0809e05cb  softHSM                     52093
example.com     KSK           dssub     waiting for ds-seen
ea97477a5cd0cac9f06b6198c1ae9d9d  softHSM                     43678


I'm sending a copy of the kasp db off-list to Sion.


Cheers,

> Cheers,
> 
> Sion


-- 
Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535

More information about the Opendnssec-user mailing list