[Opendnssec-user] ods-enforcerd in error loop required manual ods-ksmutil hacking to get unstuck :(

Simon Arlott simon at arlott.org
Sat Sep 27 12:14:45 UTC 2014


On 27/09/14 12:38, Simon Arlott wrote:
> On 27/09/14 10:32, Simon Arlott wrote:
>>> What was in the signconf.xml? Because
>>> if the ZSK was not configured there, the signer will happily sign the
>>> zone with just the KSK (if in signconf.xml of course).
>> 
>> I have the same problem. I had recently deleted a zone with:
>> $ ods-ksmutil zone delete --zone example.com
>> 
>> About 45 minutes later, for a different zone, it removed all the
>> signatures except those made by the KSK on the DNSKEY RRs. At the same
>> time it also removed the previous ZSK:
> 
> sqlite> select * from keydata_view where zone_id=41 order by publish;
> id|state|generate|publish|ready|active|retire|dead|keytype|algorithm|location|zone_id|policy_id|securitymodule_id|size|compromisedflag|fixedDate
> 572|4|2014-03-27 14:15:36|2014-03-27 14:15:55|2014-03-28 19:15:50|2014-03-29 13:15:11|2015-03-29 13:15:11||257|10|5e542722830a435d0d81147ac93abfdd|41|1|1|1536||0
> 588|6|2014-04-09 19:15:38|2014-04-09 19:15:54|2014-04-10 23:16:18|2014-04-11 00:16:27|2014-07-13 00:16:35|2014-09-15 03:16:54|256|10|3546bb15af9d76528456edda7e598d66|41|1|1|1280||0
> 622|6|2014-07-11 20:16:04|2014-07-11 20:16:19|2014-07-13 00:16:35|2014-07-13 00:16:35|2014-10-14 00:16:35|2014-09-26 21:32:57|256|10|9d6ead2e49d09e17b8836717a612bc39|41|1|1|1280||0
> 580|2|2014-04-09 17:16:18|2014-09-26 22:16:10|2014-09-28 02:16:10||||256|10|4b8a3da57795e718c29eb8c611d2fa1a|41|1|1|1280||0
> 
> These are the keys belonging to the deleted zone:
> sqlite> select * from keydata_view where zone_id is null;
> id|state|generate|publish|ready|active|retire|dead|keytype|algorithm|location|zone_id|policy_id|securitymodule_id|size|compromisedflag|fixedDate
> 525||2013-08-09 07:52:33|||||||10|6a04bbf7856da75cd28390250ddd6aba||1|1|1536||0
> 613||2014-07-11 19:15:34|||||||10|ce1ffd3f83c091c17e494cd82600ca9f||1|1|1280||0

sqlite> select * from dnsseckeys where zone_id=41;
id|keypair_id|zone_id|keytype|state|publish|ready|active|retire|dead
484|572|41|257|4|2014-03-27 14:15:55|2014-03-28 19:15:50|2014-03-29 13:15:11|2015-03-29 13:15:11|
503|588|41|256|6|2014-04-09 19:15:54|2014-04-10 23:16:18|2014-04-11 00:16:27|2014-07-13 00:16:35|2014-09-15 03:16:54
525|622|41|256|6|2014-07-11 20:16:19|2014-07-13 00:16:35|2014-07-13 00:16:35|2014-10-14 00:16:35|2014-09-26 21:32:57
535|580|41|256|2|2014-09-26 22:16:10|2014-09-28 02:16:10|||

It has marked the keys with id=525 and id=613 as dead instead of the
keys with keypair_id=525 and keypair_id=613.

This was fixed in r6351 (SUPPORT-27). I've now manually repaired the
database.


The effect of a key becoming dead or going missing is still broken as of
r7647:

> Regardless of how the old key got marked dead, it should have made the
> new ZSK active immediately because there were no other live ZSKs.

-- 
Simon Arlott

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2387 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140927/1a803d87/attachment.bin>


More information about the Opendnssec-user mailing list