[Opendnssec-user] ds-seen on a retired key: standby
yuri at nlnetlabs.nl
Fri Nov 13 09:04:04 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
> $ preload ods-ksmutil key list --zone tt01 -v Keys: Zone:
> Keytype: State: Date of next transition (to): Keytag: tt01
> KSK dspublish 2015-11-13 13:15:46 (dsready) 23900 tt01
> ZSK active 2015-12-08 13:27:29 (retire) 11088 tt01
> KSK active 2016-11-10 09:34:57 (retire) 11519
> The ds-seen indicates the key has been turned into a standby key.
> Why is that done?
I have no knowledge of that design decision. Or in fact if that was a
decision at all. It does make sense though. Presumably you are using
<ManualRollover/> for the KSK, reintroducing the DS pushes the
statemachine to "publish DS but hold of DNSKEY".
> Followup question: I haven't found any combination of commands
> which will "un-standby" (i.e. remove, whatever) that key, other
> than manipulating the underlying database tables.
I'm unsure there is tooling for that. Though I would expect
ods-ksmutil key ksk-retire --zone tt01 ---cka_id
to have the effect you are looking for.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the Opendnssec-user