[Opendnssec-user] Key rollover issue...what am I doing wrong?
matthijs at nlnetlabs.nl
Tue Nov 6 15:47:19 UTC 2012
With your key and signing policy (KASP) you should be able to determine
when the key will actually be used for signing. OpenDNSSEC implements
'smooth' ZSK rollover, meaning that if the signatures of the predecessor
are still fresh, they won't be replaced yet, even if the predecessor is
retired and the new key is active.
Looking at the default KASP, the validity is 14 days, and refresh is 3
days. Ignoring the jitter for now, it may take at most around 11 days
before all predecessor signatures are replaced with a new one, from 7645.
So depending on how your RRSIG expiration timers are spread, it could
take some time before the new key has actually generated a signature.
On 11/06/2012 04:17 PM, elsif wrote:
> SQLite database set to: /var/opendnssec/kasp.db
> Zone: Keytype: State: Date of next
> transition (to): Size: Algorithm: CKA_ID: Repository:
> <snip> KSK ready waiting for
> ds-seen (active) 2048 8 4e73113d40c313a459d91ba0efe4b7c7
> AEP 58156
> <snip> ZSK retire 2012-11-13
> 05:47:10 (dead) 1024 8 8b28e3a000a937d4c4e4e33774e35c3a
> AEP 19855
> <snip> ZSK active 2012-12-05
> 16:47:10 (retire) 1024 8 07b751af4606264c62767c6894f41e3f
> AEP 7645
> Yesterday the ZSK rollover occurred. 19855 moved to "retire", "7645"
> was selected as the next key and made "active".
> ODS hasn't used the new "7645" key yet. It's been 14 hours, 14 signings.
> I nuked the old signed zone thinking that perhaps it was re-using old
> signatures and hadn't required signing with the new key yet, but that's
> had no effect.
> So...when exactly is ODS supposed to start mentioning the "active" key
> in the zone?
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 551 bytes
Desc: OpenPGP digital signature
More information about the Opendnssec-user