[Opendnssec-user] ods-enforcerd in error loop required manual ods-ksmutil hacking to get unstuck :(

Simon Arlott simon at arlott.org
Sat Sep 27 11:38:45 UTC 2014


On 27/09/14 10:32, Simon Arlott wrote:
>> What was in the signconf.xml? Because
>> if the ZSK was not configured there, the signer will happily sign the
>> zone with just the KSK (if in signconf.xml of course).
> 
> I have the same problem. I had recently deleted a zone with:
> $ ods-ksmutil zone delete --zone example.com
> 
> About 45 minutes later, for a different zone, it removed all the
> signatures except those made by the KSK on the DNSKEY RRs. At the same
> time it also removed the previous ZSK:

The old ZSK is showing as "retire 2014-10-14" and "dead 2014-09-26 21:32:57"
at the time I deleted the other zone, and the new ZSK was published at
the next signing run, but won't be active for another 14 hours:

sqlite> select * from keydata_view where zone_id=41 order by publish;
id|state|generate|publish|ready|active|retire|dead|keytype|algorithm|location|zone_id|policy_id|securitymodule_id|size|compromisedflag|fixedDate
572|4|2014-03-27 14:15:36|2014-03-27 14:15:55|2014-03-28 19:15:50|2014-03-29 13:15:11|2015-03-29 13:15:11||257|10|5e542722830a435d0d81147ac93abfdd|41|1|1|1536||0
588|6|2014-04-09 19:15:38|2014-04-09 19:15:54|2014-04-10 23:16:18|2014-04-11 00:16:27|2014-07-13 00:16:35|2014-09-15 03:16:54|256|10|3546bb15af9d76528456edda7e598d66|41|1|1|1280||0
622|6|2014-07-11 20:16:04|2014-07-11 20:16:19|2014-07-13 00:16:35|2014-07-13 00:16:35|2014-10-14 00:16:35|2014-09-26 21:32:57|256|10|9d6ead2e49d09e17b8836717a612bc39|41|1|1|1280||0
580|2|2014-04-09 17:16:18|2014-09-26 22:16:10|2014-09-28 02:16:10||||256|10|4b8a3da57795e718c29eb8c611d2fa1a|41|1|1|1280||0

Regardless of how the old key got marked dead, it should have made the
new ZSK active immediately because there were no other live ZSKs.


These are the keys belonging to the deleted zone:
sqlite> select * from keydata_view where zone_id is null;
id|state|generate|publish|ready|active|retire|dead|keytype|algorithm|location|zone_id|policy_id|securitymodule_id|size|compromisedflag|fixedDate
525||2013-08-09 07:52:33|||||||10|6a04bbf7856da75cd28390250ddd6aba||1|1|1536||0
613||2014-07-11 19:15:34|||||||10|ce1ffd3f83c091c17e494cd82600ca9f||1|1|1280||0

The .OLD version of the signconf looks ok:
                <Keys>
                        <TTL>PT3600S</TTL>
                        <Key>
                                <Flags>257</Flags>
                                <Algorithm>10</Algorithm>
                                <Locator>5e542722830a435d0d81147ac93abfdd</Locator>
                                <KSK />
                                <Publish />
                        </Key>

                        <Key>
                                <Flags>256</Flags>
                                <Algorithm>10</Algorithm>
                                <Locator>9d6ead2e49d09e17b8836717a612bc39</Locator>
                                <ZSK />
                                <Publish />
                        </Key>
                </Keys>

I have these log entries at the time of the deletion for every zone:
26 21:32:59 ods-signerd: [worker[1]] continue task [sign] for zone simon.arlott.name

-- 
Simon Arlott

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2387 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140927/f203980b/attachment.bin>


More information about the Opendnssec-user mailing list