[Opendnssec-user] ds-seen on a retired key: standby

Jan-Piet Mens jpmens.dns at gmail.com
Fri Nov 13 08:40:36 UTC 2015


I need a sanity check please: consider the following zone held by
OpenDNSSEC 1.4.7 on November 11th:

Zone:   Keytype:      State:    Date of next transition (to):  Keytag:
tt01    KSK           retire    2015-11-12 13:21:36 (dead)     23900
tt01    ZSK           active    2015-12-08 13:27:29 (retire)   11088
tt01    KSK           active    2016-11-10 09:34:57 (retire)   11519

I then (erroneously) issue a ds-seen on the retired KSK: (FWIW, this
happened automatically using parent_control [1], though certainly no fault
there; I have since worked around this by ensuring that a ds-seen is
issued on an ACTIVE key only.)

$ preload ods-ksmutil key ds-seen --zone tt01 --keytag 23900
Found key with CKA_ID 4e7989ca670a7f421fd51d6e9373c271
Key 4e7989ca670a7f421fd51d6e9373c271 made into standby
Notifying enforcer of new database...
Performed a HUP ods-enforcerd

The result is as follows:

$ preload ods-ksmutil key list --zone tt01 -v
Keys:
Zone:   Keytype:      State:    Date of next transition (to):  Keytag:
tt01    KSK           dspublish 2015-11-13 13:15:46 (dsready)  23900
tt01    ZSK           active    2015-12-08 13:27:29 (retire)   11088
tt01    KSK           active    2016-11-10 09:34:57 (retire)   11519

The ds-seen indicates the key has been turned into a standby key. Why is
that done?

Followup question: I haven't found any combination of commands which
will "un-standby" (i.e. remove, whatever) that key, other than 
manipulating the underlying database tables. 

Regards,

        -JP

[1] https://dnssec.surfnet.nl/?p=808



More information about the Opendnssec-user mailing list