[Opendnssec-user] Key has gone straight to active use ..

Sander Smeenk ssmeenk at freshdot.net
Tue May 22 08:37:14 UTC 2012

Quoting Yuri Schaeffer (yuri at nlnetlabs.nl):

> > I think what happend to this zone is; it's DS was published
> > automatically just before the NL-zone reloads. The automated 'is DS
> > available for $domain in ds-seen state'-checker i wrote found the DS
> > active only 15 minutes after it being published and marked the key
> > active, way before ODS expected that to happen(??).
> 'active' means the DS can be used by ODS, i.e. all resolvers have
> access to it. This is not imidiatly after publishing it in de NL-zone,
> these resolvers have caches which is taken into account by ODS. see [1].

Thanks for your answer!

The entire idea behind keystates and their propagation through them is
clear to me. I am totaly aware that in this situation the key went
active before undergoing the set keystates and that this should not

It was my own fault calling ds-seen on the key almost immediately after
it was sent to the registry.   I broke it.   Now i want to fix it.

The problem is i can't seem to convince OpenDNSSEC to accept the key as
valid 'because i tell it to'. I have to resort to disabling the auditor
or deprovisioning the entire zone and its keys.

In my logs for this zone:
| May 22 10:11:46 ods1 ods-auditor[19251]: bit-dnssec-test.nl :
|   Key (49029) has gone straight to active use without a prepublished phase
| May 22 10:11:46 ods1 ods-signerd: [tools] audit failed for zone bit-dnssec-test.nl

The keys for this zone in ODS:
| root at ods1:/var/log# ods-ksmutil key list --verbose --zone bit-dnssec-test.nl.
| Zone:                Keytype:  State:  Date of next transition:  CKA_ID:                           Repository: Keytag:
| bit-dnssec-test.nl   KSK       active  2013-05-16 18:30:02       50cc1041f085b4c3774f11c9bfcfe5e3  BITHSM1     53935
| bit-dnssec-test.nl   ZSK       active  2012-06-15 13:45:05       d018a7def94ce60c82db535c5205f551  BITHSM1     49029

The zone was added to OpenDNSSEC on the 15th of may. The timers set in
my policy for propagation are long expired, the DS for this key should
now /really/ be 'active' as it is in the public DNS but as you can see
above the key in OpenDNSSEC is already 'active'.

Trying to REactivate it fails:
| root at ods1:/var/log# ods-ksmutil key ds-seen --zone bit-dnssec-test.nl -k 50cc1041f085b4c3774f11c9bfcfe5e3
| Found key with CKA_ID 50cc1041f085b4c3774f11c9bfcfe5e3
| Key is already active

For as far as i know i now have these options, none of them are elegant:

1) Deprovision the entire zone in OpenDNSSEC, destroy its keys, remove
all DS information from the registry, wait for TTLs and start all over.

2) Disable the auditor in my OpenDNSSEC configuration so the signed zone
gets accepted with the key-that-has-not-undergone-all-states

Shouldn't there be some 'ods-ksmutil key set-state' functionality that
also updates the yes-this-key-has-undergone-all-phases-flag somewhere
in some database?

With regards,
| Before borrowing money from a friend, decide which you need more.
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2

More information about the Opendnssec-user mailing list