[Opendnssec-user] End-of-life OpenDNSSEC 1.3 on 2017-07-11

Wytze van der Raay wytze at deboca.net
Sun Jul 17 10:47:28 UTC 2016

Hi Yuri,

On 07/16/2016 09:37 PM, Yuri Schaeffer wrote:
> I'll try to answer as much as possible with what comes to mind. Further
> analysis will have to wait a bit.

That's fine.

> ...
>> 2. After converting kasp.db and bringing up the new software, all
>>    zones were immediately re-signed, but the SOA in each zone was
>>    reset to the (old) datetime value in the unsigned copy, which
>>    is much lower than the value in the signed zonefiles produced
>>    by 1.4.10 and earlier. Thus my secondary servers did not accept
>>    the newly re-signed zones.
> I think 2.0.0 *should* be able to parse the 1.4.10 signconf files.
> However I'm less sure about earlier versions. At this point I'm not
> entirely sure there is an upgrade path that allows one to keep the
> signconf from old versions. This may mean loosing the SOA serial. We
> need to properly document/guide this I think.

Your explanation is probably spot-on. Although I had been running with
1.4.10 for one day, I can observe now that the signconf files had not
been rewritten yet by the 1.4.10 software, so they were still in 1.3.18
format (apparently these files are not rewritten very often?)
But yes, this definitely requires some warnings in the MIGRATION docs.

> ...
> This is not right at all. The key identifies as a ZSK, but looks more
> like a CSK (zsk+ksk)! I recommend to initiate a rollover for that zone.
> For both the ksk and zsk. Make sure your policy in kasp.xml looks good.

I've tried this for one zone, but only appears to make things worse :-(
According to 'key list', there is now a new KSK with id 330, but
ods-enforcerd wants me to submit the DS with keytag 11318, which
is a ZSK according to key list. And when I use key export -d to
get the DS to be submitted, it only gives me DS's for 11318 (and
some retired keys). How can I get the DS for keytag 330??

Right now, it looks to me that the only way to recover is to
turn off DNSSEC for all zones, and start from scratch :-(

> ...
> It should not ask that for a ZSK. Something has gone wrong with the
> database conversion I guess. Do you still have the database as produced
> by 1.4.10? I'd like to compare it to your 2.0.0 database.

I will send you those off-list.

> The second part: yes. Unless you specified <ManualRollover> for the KSK
> it will automatically roll as your policy prescribes. However if you
> don't indicate you retracted the old DS I expect both DNSKEYS to be
> published in your zone. And therefore not broken. Is this not the case?

I did *not* retract the old DS, but its DNSKEY is not published anymore in
the zone, so the zone is broken (by OpenDNSSEC 2.0 I am sad to conclude).

-- wytze

More information about the Opendnssec-user mailing list