[Opendnssec-user] ds-seen on a retired key: standby
Yuri Schaeffer
yuri at nlnetlabs.nl
Fri Nov 13 09:04:04 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi JP,
> $ preload ods-ksmutil key list --zone tt01 -v Keys: Zone:
> Keytype: State: Date of next transition (to): Keytag: tt01
> KSK dspublish 2015-11-13 13:15:46 (dsready) 23900 tt01
> ZSK active 2015-12-08 13:27:29 (retire) 11088 tt01
> KSK active 2016-11-10 09:34:57 (retire) 11519
>
> The ds-seen indicates the key has been turned into a standby key.
> Why is that done?
I have no knowledge of that design decision. Or in fact if that was a
decision at all. It does make sense though. Presumably you are using
<ManualRollover/> for the KSK, reintroducing the DS pushes the
statemachine to "publish DS but hold of DNSKEY".
> Followup question: I haven't found any combination of commands
> which will "un-standby" (i.e. remove, whatever) that key, other
> than manipulating the underlying database tables.
I'm unsure there is tooling for that. Though I would expect
ods-ksmutil key ksk-retire --zone tt01 ---cka_id
4e7989ca670a7f421fd51d6e9373c271
to have the effect you are looking for.
Regards,
Yuri
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iEYEARECAAYFAlZFp4MACgkQI3PTR4mhavhojgCfSoNc32vB57rVjlPxHUpLRHxa
4NwAn27ibnhSjL4gUPDBYrbjoOUvgHud
=pVLF
-----END PGP SIGNATURE-----
More information about the Opendnssec-user
mailing list