[Opendnssec-user] Migration to 2.0.1
Yuri Schaeffer
yuri at nlnetlabs.nl
Tue Aug 9 14:37:05 UTC 2016
Hi Fred,
> Today I tried to migrate from ods 1.4.10 to 2.0.1 on our test system.
> After the migration of the database and after adding the keytags I
> started ods the new ods and it seems to run.
> The first thing I noticed is that there are now some keys in the state
> "waiting for ds-gone". I have the impression that these are our backup
> KSK keys. Is this normal? I found that there is now a command
> "ods-enforcer key ds-gone". This brings the keys to the state "retire".
> What is the idea behind this?
First that could very well be your backup keys. 1.4. kept KSK around
with only DS published. 2.0 does not use backup keys so it is just
removing them.
The ds-gone follows the same semantics as ds-seen. In 1.4 DS operations
would happen on a pair (old KSK + new KSK) of keys. A new DS got added
to the parent and the old DS removed. So a ds-seen would imply a
ds-gone. Now, 2.0 is built to support other kind of rollovers. Hence the
need for an explicit command.
> I further noticed that "ods-enforcer key list" lists the keys in a
> different order. Previously, all keys of a domain were listed together.
> Now I do not immediately see how they are sorted. It makes it a bit more
> difficult to see the state of a zone, but it can be easily worked around
> with the --zone option.
Indeed. It is in the order the database returns the records.
> Then I see that the output from "ods-enforcer backup list -v" is very
> different from what previously was shown with "ods-ksmutil backup list
> -v". The latter listed the backups with a date/time, but now I see a
> list of hexadecimal numbers. What does it mean?
hmm. These are the locators of the keys on your HSM. But... No state is
being printed yet. I'll make a issue for this, so we can have this on a
future release. In the mean time I advice against using <RequireBackup/>
in conf.xml. You can still backup your keys though -that was always an
external process- but you can't tell OpenDNSSEC yet about this backup
status.
Regards,
Yuri
More information about the Opendnssec-user
mailing list