[Opendnssec-user] Strange signature combination.

Jan Hugo Prins jhp at jhprins.org
Thu Oct 10 13:55:02 UTC 2013


I'm currently in the process of getting to learn all the inner workings
of DNSSec and the combination with OpenDNSSec in particular. So far
everything looks fine, but I have one strange thing now.

During my testing I have taken my own domain to do some DNSSEC things
with. This domain has been signed for a longer period of time but this
was always manual using the bind tools. Now I have imported the domain
into opendnssec and created the keys. After that I imported the new DS
for the new KSK into the parent zone.

Then I started playing around and because I didn't know yet how
OpenDNSSEC worked I did a rollover 2 times in the default policy. This
created the following situation:

 SQLite database set to: /var/opendnssec/kasp.db
Zone:                           Keytype:      State:    Date of next
transition (to):  Size:   Algorithm:  CKA_ID:                          
Repository:                       Keytag:
jhprins.org                     KSK           active    2014-10-08
14:21:49 (retire)   2048    8          
e3de714c43911ebfd7efb3c3bb4e0a10  SoftHSM                           26527
jhprins.org                     ZSK           retire    2013-10-17
23:20:52 (dead)     1024    8          
f77af07f4b6b59a53dd3a20c946ad21f  SoftHSM                           6675
jhprins.org                     ZSK           retire    2013-10-23
20:14:54 (dead)     1024    8          
0bae373b89af2dd910f0f7c02f2a5e4a  SoftHSM                           14511
jhprins.org                     ZSK           active    2014-01-07
07:14:54 (retire)   1024    8          
9f839d3282f4a428dafa3f0b846112ff  SoftHSM                           63966

I have now put the new zone into DNS and it should now be active, so you
can look it up.

The strange thing I see is that the current zone seems to be signed by 2
different keys.
The SOA record is signed using key 63966 while the rest of the zone is
signed using key 6675.

How can this happen and why does this happen? I wander what will happen
with the signatures after the 17th of October. What keys will be used?

The attached PNG also shows it very clearly.
ID 8836 and 53370 are the KSK and ZSK created in the past using the bind

Jan Hugo Prins

-------------- next part --------------
A non-text attachment was scrubbed...
Name: jhprins.org-2013-10-10-13:22:42.png
Type: image/png
Size: 134350 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20131010/d5e458ee/attachment.png>

More information about the Opendnssec-user mailing list