[Opendnssec-user] ds-seen on a retired key: standby
Jan-Piet Mens
jpmens.dns at gmail.com
Fri Nov 13 08:40:36 UTC 2015
I need a sanity check please: consider the following zone held by
OpenDNSSEC 1.4.7 on November 11th:
Zone: Keytype: State: Date of next transition (to): Keytag:
tt01 KSK retire 2015-11-12 13:21:36 (dead) 23900
tt01 ZSK active 2015-12-08 13:27:29 (retire) 11088
tt01 KSK active 2016-11-10 09:34:57 (retire) 11519
I then (erroneously) issue a ds-seen on the retired KSK: (FWIW, this
happened automatically using parent_control [1], though certainly no fault
there; I have since worked around this by ensuring that a ds-seen is
issued on an ACTIVE key only.)
$ preload ods-ksmutil key ds-seen --zone tt01 --keytag 23900
Found key with CKA_ID 4e7989ca670a7f421fd51d6e9373c271
Key 4e7989ca670a7f421fd51d6e9373c271 made into standby
Notifying enforcer of new database...
Performed a HUP ods-enforcerd
The result is as follows:
$ preload ods-ksmutil key list --zone tt01 -v
Keys:
Zone: Keytype: State: Date of next transition (to): Keytag:
tt01 KSK dspublish 2015-11-13 13:15:46 (dsready) 23900
tt01 ZSK active 2015-12-08 13:27:29 (retire) 11088
tt01 KSK active 2016-11-10 09:34:57 (retire) 11519
The ds-seen indicates the key has been turned into a standby key. Why is
that done?
Followup question: I haven't found any combination of commands which
will "un-standby" (i.e. remove, whatever) that key, other than
manipulating the underlying database tables.
Regards,
-JP
[1] https://dnssec.surfnet.nl/?p=808
More information about the Opendnssec-user
mailing list