[Opendnssec-user] Strange signature combination.
Jan Hugo Prins
jhp at jhprins.org
Thu Oct 10 13:55:02 UTC 2013
I'm currently in the process of getting to learn all the inner workings
of DNSSec and the combination with OpenDNSSec in particular. So far
everything looks fine, but I have one strange thing now.
During my testing I have taken my own domain to do some DNSSEC things
with. This domain has been signed for a longer period of time but this
was always manual using the bind tools. Now I have imported the domain
into opendnssec and created the keys. After that I imported the new DS
for the new KSK into the parent zone.
Then I started playing around and because I didn't know yet how
OpenDNSSEC worked I did a rollover 2 times in the default policy. This
created the following situation:
SQLite database set to: /var/opendnssec/kasp.db
Zone: Keytype: State: Date of next
transition (to): Size: Algorithm: CKA_ID:
jhprins.org KSK active 2014-10-08
14:21:49 (retire) 2048 8
e3de714c43911ebfd7efb3c3bb4e0a10 SoftHSM 26527
jhprins.org ZSK retire 2013-10-17
23:20:52 (dead) 1024 8
f77af07f4b6b59a53dd3a20c946ad21f SoftHSM 6675
jhprins.org ZSK retire 2013-10-23
20:14:54 (dead) 1024 8
0bae373b89af2dd910f0f7c02f2a5e4a SoftHSM 14511
jhprins.org ZSK active 2014-01-07
07:14:54 (retire) 1024 8
9f839d3282f4a428dafa3f0b846112ff SoftHSM 63966
I have now put the new zone into DNS and it should now be active, so you
can look it up.
The strange thing I see is that the current zone seems to be signed by 2
The SOA record is signed using key 63966 while the rest of the zone is
signed using key 6675.
How can this happen and why does this happen? I wander what will happen
with the signatures after the 17th of October. What keys will be used?
The attached PNG also shows it very clearly.
ID 8836 and 53370 are the KSK and ZSK created in the past using the bind
Jan Hugo Prins
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 134350 bytes
Desc: not available
More information about the Opendnssec-user