[Opendnssec-user] ds-seen on a retired key: standby

Matthijs Mekking matthijs at pletterpet.nl
Mon Nov 16 08:23:44 UTC 2015 

Jan-Piet,

On 13-11-15 09:40, Jan-Piet Mens wrote:
> I need a sanity check please: consider the following zone held by
> OpenDNSSEC 1.4.7 on November 11th:
> 
> Zone:   Keytype:      State:    Date of next transition (to):  Keytag:
> tt01    KSK           retire    2015-11-12 13:21:36 (dead)     23900
> tt01    ZSK           active    2015-12-08 13:27:29 (retire)   11088
> tt01    KSK           active    2016-11-10 09:34:57 (retire)   11519
> 
> I then (erroneously) issue a ds-seen on the retired KSK: (FWIW, this
> happened automatically using parent_control [1], though certainly no fault
> there; I have since worked around this by ensuring that a ds-seen is
> issued on an ACTIVE key only.)

Should the key not be in ready or dssub state instead of the active
state? Because if it is active, it is already in use.

Anyway, making sure the current key state makes sense might be a useful
addition to the ods-ksmutil ds-seen command.


> $ preload ods-ksmutil key ds-seen --zone tt01 --keytag 23900
> Found key with CKA_ID 4e7989ca670a7f421fd51d6e9373c271
> Key 4e7989ca670a7f421fd51d6e9373c271 made into standby
> Notifying enforcer of new database...
> Performed a HUP ods-enforcerd
> 
> The result is as follows:
> 
> $ preload ods-ksmutil key list --zone tt01 -v
> Keys:
> Zone:   Keytype:      State:    Date of next transition (to):  Keytag:
> tt01    KSK           dspublish 2015-11-13 13:15:46 (dsready)  23900
> tt01    ZSK           active    2015-12-08 13:27:29 (retire)   11088
> tt01    KSK           active    2016-11-10 09:34:57 (retire)   11519
> 
> The ds-seen indicates the key has been turned into a standby key. Why is
> that done?

Because there is no key state sanity checking, and thus you now made
OpenDNSSEC believe it is safe to move to the dspublish state.


> Followup question: I haven't found any combination of commands which
> will "un-standby" (i.e. remove, whatever) that key, other than 
> manipulating the underlying database tables.

Once in dspublish, you have to wait until time has passed.

>> I'm unsure there is tooling for that. Though I would expect
>>
>> ods-ksmutil key ksk-retire --zone tt01 ---cka_id
>> 4e7989ca670a7f421fd51d6e9373c271
>>
>> to have the effect you are looking for.
>
> No, that didn't work, at least not by specifying key tag (no keys in
> ACTIVE state match...). I tried all combinations that came to mind; none
> worked.


Unfortunately you can only retire keys that are in the active state. So
to playbook for removing the key again seems to be: wait, wait a little
bit more, pizza, ksk-retire.


Best regards,
  Matthijs


> Regards,
> 
>         -JP
> 
> [1] https://dnssec.surfnet.nl/?p=808
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>

More information about the Opendnssec-user mailing list