[Opendnssec-user] Problem with KSK manual rollover

Fri Mar 7 19:02:25 UTC 2014

Hi,

I'm doing some testing with opendnssec 1.4.3. I'm trying to create KSKs
which never expire. I'm doing this because I want complete control over
when to do the rollover. I'm following the description on the last
paragraph of this page:
https://wiki.opendnssec.org/display/DOCS/Key+Management ('Key rollovers
on exact dates')

I've added a <ManualRollover/> tag in the <KSK>-block in the kasp.xml
file, run ods-ksmutil setup, then ods-ksmutil update all, then
ods-signer update --all. My newly created keys now have expiry dates,
but I expect the KSKs to stay as they are until I issue the command
'ods-ksmutil key rollover'.

But what happens is that opendnssec creates a new KSK and starts
publishing it behind my back just before the currently active KSK is
about to expire. This is the same behaviour as automatic rollover except
that when the new key is 'ready', I find a message in syslog:
INFO: Manual rollover due for KSK of zone stavanger.no.

I guess I've misconfigured something but I'm not sure what. My kasp.xml
looks like this:
<KASP>
         <Policy name="lab">
                 <Description>Quick turnaround policy</Description>
                 <Signatures>
                         <Resign>PT10M</Resign>
                         <Refresh>PT4H</Refresh>
                         <Validity>
                                 <Default>PT48H</Default>
                                 <Denial>PT48H</Denial>
                         </Validity>
                         <Jitter>PT1M</Jitter>
                         <InceptionOffset>PT3600S</InceptionOffset>
                 </Signatures>

                 <Denial>
                         <NSEC3>
                                 <OptOut/>
                                 <Resalt>P100D</Resalt>
                                 <Hash>
                                         <Algorithm>1</Algorithm>
                                         <Iterations>5</Iterations>
                                         <Salt length="8"/>
                                 </Hash>
                         </NSEC3>
                 </Denial>

                 <Keys>
                         <!-- Parameters for both KSK and ZSK -->
                         <TTL>PT300S</TTL>
                         <RetireSafety>PT360S</RetireSafety>
                         <PublishSafety>PT360S</PublishSafety>
                         <!-- <ShareKeys/> -->
                         <Purge>P1D</Purge>

                         <!-- Parameters for KSK only -->
                         <KSK>
                                 <Algorithm length="2048">8</Algorithm>
                                 <Lifetime>PT4H</Lifetime>
                                 <Repository>SoftHSM</Repository>
                                 <ManualRollover/>
                         </KSK>

                         <!-- Parameters for ZSK only -->
                         <ZSK>
                                 <Algorithm length="1024">8</Algorithm>
                                 <Lifetime>PT2H</Lifetime>
                                 <Repository>SoftHSM</Repository>
                         </ZSK>
                 </Keys>
                 ...

Zonelist:
...
         <Zone name="stavanger.no">
                 <Policy>lab</Policy>

<SignerConfiguration>/srv/data/opendnssec/signconf/stavanger.no.xml</SignerConfiguration>
                 <Adapters>
                         <Input>
                                 <Adapter 
type="File">/srv/data/opendnssec/unsigned/stavanger.no</Adapter>
                         </Input>
                         <Output>
                                 <Adapter 
type="File">/srv/data/opendnssec/signed/stavanger.no</Adapter>
                         </Output>
                 </Adapters>
         </Zone>
...

'ods-ksmutil zone list' gives me:
Found Zone: stavanger.no; on policy lab

Can anyone advise me?

Erik Østlyngen
UNINETT Norid