[Opendnssec-user] Strange signature combination.

Matthijs Mekking matthijs at nlnetlabs.nl
Fri Oct 11 07:56:32 UTC 2013

Hi Jan Hugo,

On 10/10/2013 03:55 PM, Jan Hugo Prins wrote:
> Hello,
> I'm currently in the process of getting to learn all the inner workings
> of DNSSec and the combination with OpenDNSSec in particular. So far
> everything looks fine, but I have one strange thing now.
> During my testing I have taken my own domain to do some DNSSEC things
> with. This domain has been signed for a longer period of time but this
> was always manual using the bind tools. Now I have imported the domain
> into opendnssec and created the keys. After that I imported the new DS
> for the new KSK into the parent zone.
> Then I started playing around and because I didn't know yet how
> OpenDNSSEC worked I did a rollover 2 times in the default policy. This
> created the following situation:
>  SQLite database set to: /var/opendnssec/kasp.db
> Keys:
> Zone:                           Keytype:      State:    Date of next
> transition (to):  Size:   Algorithm:  CKA_ID:                          
> Repository:                       Keytag:
> jhprins.org                     KSK           active    2014-10-08
> 14:21:49 (retire)   2048    8          
> e3de714c43911ebfd7efb3c3bb4e0a10  SoftHSM                           26527
> jhprins.org                     ZSK           retire    2013-10-17
> 23:20:52 (dead)     1024    8          
> f77af07f4b6b59a53dd3a20c946ad21f  SoftHSM                           6675
> jhprins.org                     ZSK           retire    2013-10-23
> 20:14:54 (dead)     1024    8          
> 0bae373b89af2dd910f0f7c02f2a5e4a  SoftHSM                           14511
> jhprins.org                     ZSK           active    2014-01-07
> 07:14:54 (retire)   1024    8          
> 9f839d3282f4a428dafa3f0b846112ff  SoftHSM                           63966
> I have now put the new zone into DNS and it should now be active, so you
> can look it up.
> The strange thing I see is that the current zone seems to be signed by 2
> different keys.
> The SOA record is signed using key 63966 while the rest of the zone is
> signed using key 6675.
> How can this happen and why does this happen? I wander what will happen
> with the signatures after the 17th of October. What keys will be used?

OpenDNSSEC performs a so-called *smooth* pre-publish ZSK rollover. That
means that not all signatures will be replaced at once. Instead, only
when signatures of the retired key need to be refreshed, they will be
replaced with the new active key.

The signatures from key 6675 will be replaced some time between now and
October 17. When this happens precisely depends on your KASP: It's a
function of signature validity period, refresh period and jitter.

The SOA record needs to be refreshed on every re-sign, so that one is
already signed with the new key 63966.

Best regards,

> The attached PNG also shows it very clearly.
> ID 8836 and 53370 are the KSK and ZSK created in the past using the bind
> tools.
> Jan Hugo Prins
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list