[Opendnssec-user] Migration to 2.0.1

Yuri Schaeffer yuri at nlnetlabs.nl
Tue Aug 9 14:37:05 UTC 2016

Hi Fred,

> Today I tried to migrate from ods 1.4.10 to 2.0.1 on our test system.
> After the migration of the database and after adding the keytags I
> started ods the new ods and it seems to run.
> The first thing I noticed is that there are now some keys in the state
> "waiting for ds-gone". I have the impression that these are our backup
> KSK keys. Is this normal? I found that there is now a command
> "ods-enforcer key ds-gone". This brings the keys to the state "retire".
> What is the idea behind this?

First that could very well be your backup keys. 1.4. kept KSK around 
with only DS published. 2.0 does not use backup keys so it is just 
removing them.

The ds-gone follows the same semantics as ds-seen. In 1.4 DS operations 
would happen on a pair (old KSK + new KSK) of keys. A new DS got added 
to the parent and the old DS removed. So a ds-seen would imply a 
ds-gone. Now, 2.0 is built to support other kind of rollovers. Hence the 
need for an explicit command.

> I further noticed that "ods-enforcer key list" lists the keys in a
> different order. Previously, all keys of a domain were listed together.
> Now I do not immediately see how they are sorted. It makes it a bit more
> difficult to see the state of a zone, but it can be easily worked around
> with the --zone option.

Indeed. It is in the order the database returns the records.

> Then I see that the output from "ods-enforcer backup list -v" is very
> different from what previously was shown with "ods-ksmutil backup list
> -v". The latter listed the backups with a date/time, but now I see a
> list of hexadecimal numbers. What does it mean?

hmm. These are the locators of the keys on your HSM. But... No state is 
being printed yet. I'll make a issue for this, so we can have this on a 
future release. In the mean time I advice against using <RequireBackup/> 
in conf.xml. You can still backup your keys though -that was always an 
external process- but you can't tell OpenDNSSEC yet about this backup 


More information about the Opendnssec-user mailing list