[Opendnssec-user] other rollover problem

Mathieu Arnold mat at mat.cc
Mon Jun 13 15:23:42 UTC 2011


Still testing my setup, I wanted to rollover a reverse zone to see how it
would work with the RIPE email system...

I've scratched my head for something like two hours wondering why :
ods-ksmutil key rollover --zone 240.143.79.in-addr.arpa --keytype KSK
was not doing anything...

It was kicking the enforcer, but the enforcer did not do anything, and as
the enforcer takes 15 minutes to go through the 104 zones configured, and
that I can't issue any other command while it's working, it's been driving
me mad...

It turns out that when I started, the reverse zones were in my default
policy, which uses NSEC3, and that sometime last year, I created an NSEC
policy to go with them (who can't guess the content of a reverse zone...)
and changed their policy to the new NSEC one.

Now, in the database, it changed the zones' policy_id, but not the
keypairs' policy_id.

And it happens that ods-ksmutil searches by zone_id and policy_id that it
got searching the zone name, and finds nothing, obviously.

Now, I told myself, I'll stop the enforcer, update the dnsseckeys' retire
field manually and start it again, it was a nice idea, but it did not work,
the enforcer kept putting the old retire time back. I guess it checks with
the zone_id and policy_id too.

So, I went back to the database, and updated the keypairs' policy_id (and
the dnsseckeys' retire while I was at it.) and there I was, the enforcer
was nice enough to publish new KSK.

I guess changing a zone's policy is not something that's done often, and
I'm not sure of what should be done to it's keys when it happens, but, it
would be nice to be able to have everything just work if it's the case.

Mathieu Arnold

More information about the Opendnssec-user mailing list