[Opendnssec-user] End-of-life OpenDNSSEC 1.3 on 2017-07-11
Wytze van der Raay
wytze at deboca.net
Mon Jul 18 14:29:16 UTC 2016
On 07/17/2016 12:47 PM, Wytze van der Raay wrote:
> On 07/16/2016 09:37 PM, Yuri Schaeffer wrote:
>> ...
>> This is not right at all. The key identifies as a ZSK, but looks more
>> like a CSK (zsk+ksk)! I recommend to initiate a rollover for that zone.
>> For both the ksk and zsk. Make sure your policy in kasp.xml looks good.
>
> I've tried this for one zone, but only appears to make things worse :-(
> According to 'key list', there is now a new KSK with id 330, but
> ods-enforcerd wants me to submit the DS with keytag 11318, which
> is a ZSK according to key list. And when I use key export -d to
> get the DS to be submitted, it only gives me DS's for 11318 (and
> some retired keys). How can I get the DS for keytag 330??
>
> Right now, it looks to me that the only way to recover is to
> turn off DNSSEC for all zones, and start from scratch :-(
Well, after waiting a day, a somewhat friendlier solution has presented
itself. After exoiry of a timer for the newly created KSK 330, the
ods-enforcer key export -d *did* actually give me the DS records for
KSK 330 (and some other useless ones). After uploading these DS records
to the registrar, the zone did come back to life, and is basically
looking healthy now.
Still, this is not a feasible method to repair my other zones, since
I don't want to see them die DNSSEC-wise, while waiting for the timer
to expire. Only after that (many hours later) ods-enforcer key export -d
will finally give me the desired DS records.
I am wondering what criteria are applied by the code to decide which keys
to export. It looks like they are wrong most of the time. Right now, with
the zone restored to working state, it is exporting the DS for a retired
ZSK. How could that ever be useful??
FYI, I have attached the output from key list -v and key list -d for this
zone. The only exported key is now 13284 (retired ZSK).
Even when I explicitly specify "key export -t KSK", it is still giving me
this retired ZSK 13284.
Regards,
-- wytze
-------------- next part --------------
cmd> key list -d -z cacert.net
Keys:
Zone: Key role: DS: DNSKEY: RRSIGDNSKEY: RRSIG: Pub: Act: Id:
cacert.net KSK hidden hidden hidden hidden 0 0 35be9c4ac39a73e3e9f028ef7eff5f9c
cacert.net KSK unretentive hidden hidden unretentive 0 0 e3142e3ba1b64e60c21d84e11560dda3
cacert.net ZSK unretentive omnipresent omnipresent unretentive 1 1 76a8f7379194d85a45fb3cf01f68e419
cacert.net ZSK unretentive hidden hidden unretentive 0 0 7fa3a16e9d31fe19b7340ee3285d8c71
cacert.net KSK rumoured omnipresent omnipresent NA 1 1 c6e74584b7803337b29565c66c61334c
cacert.net ZSK NA omnipresent NA rumoured 1 1 bf100449261822f2083234e1739374ad
key list completed in 0 seconds.
Daemon exit code: 0
cmd> key list -v -z cacert.net
Keys:
Zone: Keytype: State: Date of next transition: Size: Algorithm: CKA_ID: Repository: KeyTag:
cacert.net KSK retire 2016-07-18 23:50:01 2048 7 35be9c4ac39a73e3e9f028ef7eff5f9c SoftHSM 32509
cacert.net KSK retire 2016-07-18 23:50:01 2048 7 e3142e3ba1b64e60c21d84e11560dda3 SoftHSM 29296
cacert.net ZSK retire waiting for ds-retract 1024 7 76a8f7379194d85a45fb3cf01f68e419 SoftHSM 13284
cacert.net ZSK retire 2016-07-18 23:50:01 1024 7 7fa3a16e9d31fe19b7340ee3285d8c71 SoftHSM 11318
cacert.net KSK active 2016-07-18 23:50:01 2048 7 c6e74584b7803337b29565c66c61334c SoftHSM 330
cacert.net ZSK ready 2016-07-18 23:50:01 1024 7 bf100449261822f2083234e1739374ad SoftHSM 44043
key list completed in 0 seconds.
Daemon exit code: 0
cmd>
More information about the Opendnssec-user
mailing list