[Opendnssec-user] Key rollover issue...what am I doing wrong?

Matthijs Mekking matthijs at nlnetlabs.nl
Tue Nov 6 15:47:19 UTC 2012

Hi Jake,

With your key and signing policy (KASP) you should be able to determine
when the key will actually be used for signing. OpenDNSSEC implements
'smooth' ZSK rollover, meaning that if the signatures of the predecessor
are still fresh, they won't be replaced yet, even if the predecessor is
retired and the new key is active.

Looking at the default KASP, the validity is 14 days, and refresh is 3
days. Ignoring the jitter for now, it may take at most around 11 days
before all predecessor signatures are replaced with a new one, from 7645.

So depending on how your RRSIG expiration timers are spread, it could
take some time before the new key has actually generated a signature.

Best regards,

On 11/06/2012 04:17 PM, elsif wrote:
> SQLite database set to: /var/opendnssec/kasp.db
> Keys:
> Zone:                           Keytype:      State:    Date of next
> transition (to):  Size:   Algorithm:  CKA_ID: Repository:
> Keytag:
> <snip>                              KSK           ready     waiting for
> ds-seen (active)   2048    8           4e73113d40c313a459d91ba0efe4b7c7
> AEP 58156
> <snip>                              ZSK           retire    2012-11-13
> 05:47:10 (dead)     1024    8           8b28e3a000a937d4c4e4e33774e35c3a
> AEP 19855
> <snip>                              ZSK           active    2012-12-05
> 16:47:10 (retire)   1024    8           07b751af4606264c62767c6894f41e3f
> AEP 7645
> Yesterday the ZSK rollover occurred.  19855 moved to "retire", "7645"
> was selected as the next key and made "active".
> ODS hasn't used the new "7645" key yet.  It's been 14 hours, 14 signings.
> I nuked the old signed zone thinking that perhaps it was re-using old
> signatures and hadn't required signing with the new key yet, but that's
> had no effect.
> So...when exactly is ODS supposed to start mentioning the "active" key
> in the zone?
> -jake
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 551 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20121106/e145287a/attachment.bin>

More information about the Opendnssec-user mailing list