[Opendnssec-user] KSK rollover issue

Emil Natan shlyoko at gmail.com
Tue May 20 16:16:42 CEST 2014


Hello,

I'm testing the KSK rollover process and got into something I fail to
understand. For my zone I have one stand-by KSK. Before starting the
rollover here is how my keys list looked:

ods-ksmutil key list --keytype ksk -v 2> /dev/null
Keys:
Zone:                           Keytype:      State:    Date of next
transition (to):  Size:   Algorithm:  CKA_ID:
Repository:                       Keytag:
tld                              KSK           active    2015-06-07
18:59:50 (retire)   2048    8           a2b2155affee6c67ec546222443bb35c
 Keyper                            62557
tld                              KSK           dsready   When required
  (keypub)   2048    8           a0ad6883be22eb83506f6eed1ad01ab1  Keyper
                         58075

Then I used "ods-ksmutil key rollover --zone tld --keytype KSK" to start
the KSK rollover process. Here is the keys list after that step:

ods-ksmutil key list --keytype ksk -v 2> /dev/null
Keys:
Zone:                           Keytype:      State:    Date of next
transition (to):  Size:   Algorithm:  CKA_ID:
Repository:                       Keytag:
tld                              KSK           publish   2014-05-20
19:18:53 (ready)    2048    8           336a0d8ebb714fe38eff8abc3fcd9c98
 Keyper                            39757
tld                              KSK           active    2014-05-20
15:13:53 (retire)   2048    8           a2b2155affee6c67ec546222443bb35c
 Keyper                            62557
tld                              KSK           keypublish 2014-05-20
19:18:53 (active)   2048    8           a0ad6883be22eb83506f6eed1ad01ab1
 Keyper                            58075

Because I'm still testing and try various options, I have restarted the
ods-enforcerd process and that introduced additional KSK for that zone:

ods-ksmutil key list --keytype ksk --zone tld -v 2> /dev/null
Keys:
Zone:                           Keytype:      State:    Date of next
transition (to):  Size:   Algorithm:  CKA_ID:
Repository:                       Keytag:
tld                              KSK           keypublish 2014-05-20
19:18:53 (active)   2048    8           a0ad6883be22eb83506f6eed1ad01ab1
 Keyper                            58075
tld                              KSK           publish   2014-05-20
19:18:53 (ready)    2048    8           336a0d8ebb714fe38eff8abc3fcd9c98
 Keyper                            39757
tld                              KSK           active    2014-05-20
15:13:53 (retire)   2048    8           a2b2155affee6c67ec546222443bb35c
 Keyper                            62557
tld                              KSK           dssub     waiting for
ds-seen (dspub)    2048    8           997358542f04e0f34dcf70d47a5dc22a
 Keyper                            18944

What I do not understand is why the key with Keytag 39757 was introduced
for that zone and why with state "publish"? It looks more like a stand-by
ZSK which are introduced in "publish" state. When signing the zone 3 KSKs
are added to the DNSKEY record (62557, 58075, 39757). When creating the DS
record for that zone, hashes for the following 3 keys are created
- 62557, 18944, 58075, which actually makes sense. Just for the record, I
also have stand-by ZSK set in kasp.xml.

The logfile first says:
May 20 15:26:02 catwoman ods-enforcerd: 1 zone(s) found on policy "TLD"
May 20 15:26:02 catwoman ods-enforcerd: No new KSKs need to be created.
May 20 15:26:02 catwoman ods-enforcerd: No new ZSKs need to be created.
May 20 15:26:02 catwoman ods-enforcerd: Purging keys...

and then:
May 20 15:26:02 catwoman ods-enforcerd: zonelist filename set to
/usr/local/ods/etc/opendnssec/zonelist.xml.
May 20 15:26:02 catwoman ods-enforcerd: Zone tld found.
May 20 15:26:02 catwoman ods-enforcerd: Policy for tld set to TLD.
May 20 15:26:02 catwoman ods-enforcerd: Policy TLD found in DB.
May 20 15:26:02 catwoman ods-enforcerd: Config will be output to
/usr/local/ods/var/opendnssec/signconf/tld.xml.
May 20 15:26:02 catwoman ods-enforcerd: KSK key allocation for zone tld: 1
key(s) allocated
May 20 15:26:02 catwoman ods-enforcerd: WARNING: KSK rollover for zone
'tld' not completed as there are no keys in the 'ready' state;
ods-enforcerd will try again when it runs next
May 20 15:26:02 catwoman ods-enforcerd: No change to:
/usr/local/ods/var/opendnssec/signconf/tld.xml
May 20 15:26:02 catwoman ods-enforcerd: DSChanged
...

ods-ksmutil --version
opendnssec version 1.4.5

Any ideas what went wrong or what I'm missing?

A comment in the configuration file states that the Stand-by feature is
experimental? Does it mean it should not be used in production environments?

Thanks.
Emil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140520/2d989cd4/attachment.html>


More information about the Opendnssec-user mailing list