[Opendnssec-user] End-of-life OpenDNSSEC 1.3 on 2017-07-11

Wytze van der Raay wytze at deboca.net
Mon Jul 18 14:29:16 UTC 2016

On 07/17/2016 12:47 PM, Wytze van der Raay wrote:
> On 07/16/2016 09:37 PM, Yuri Schaeffer wrote:

>> ...
>> This is not right at all. The key identifies as a ZSK, but looks more
>> like a CSK (zsk+ksk)! I recommend to initiate a rollover for that zone.
>> For both the ksk and zsk. Make sure your policy in kasp.xml looks good.
> I've tried this for one zone, but only appears to make things worse :-(
> According to 'key list', there is now a new KSK with id 330, but
> ods-enforcerd wants me to submit the DS with keytag 11318, which
> is a ZSK according to key list. And when I use key export -d to
> get the DS to be submitted, it only gives me DS's for 11318 (and
> some retired keys). How can I get the DS for keytag 330??
> Right now, it looks to me that the only way to recover is to
> turn off DNSSEC for all zones, and start from scratch :-(

Well, after waiting a day, a somewhat friendlier solution has presented
itself. After exoiry of a timer for the newly created KSK 330, the
ods-enforcer key export -d *did* actually give me the DS records for
KSK 330 (and some other useless ones). After uploading these DS records
to the registrar, the zone did come back to life, and is basically
looking healthy now.

Still, this is not a feasible method to repair my other zones, since
I don't want to see them die DNSSEC-wise, while waiting for the timer
to expire. Only after that (many hours later) ods-enforcer key export -d
will finally give me the desired DS records.

I am wondering what criteria are applied by the code to decide which keys
to export. It looks like they are wrong most of the time. Right now, with
the zone restored to working state, it is exporting the DS for a retired
ZSK. How could that ever be useful??

FYI, I have attached the output from key list -v and key list -d for this
zone. The only exported key is now 13284 (retired ZSK).
Even when I explicitly specify "key export -t KSK", it is still giving me
this retired ZSK 13284.

-- wytze

-------------- next part --------------
cmd> key list -d -z cacert.net
Zone:                           Key role:     DS:          DNSKEY:      RRSIGDNSKEY: RRSIG:       Pub: Act: Id:
cacert.net                      KSK           hidden       hidden       hidden       hidden       0    0    35be9c4ac39a73e3e9f028ef7eff5f9c
cacert.net                      KSK           unretentive  hidden       hidden       unretentive  0    0    e3142e3ba1b64e60c21d84e11560dda3
cacert.net                      ZSK           unretentive  omnipresent  omnipresent  unretentive  1    1    76a8f7379194d85a45fb3cf01f68e419
cacert.net                      ZSK           unretentive  hidden       hidden       unretentive  0    0    7fa3a16e9d31fe19b7340ee3285d8c71
cacert.net                      KSK           rumoured     omnipresent  omnipresent  NA           1    1    c6e74584b7803337b29565c66c61334c
cacert.net                      ZSK           NA           omnipresent  NA           rumoured     1    1    bf100449261822f2083234e1739374ad
key list completed in 0 seconds.
Daemon exit code: 0
cmd> key list -v -z cacert.net
Zone:                           Keytype: State:    Date of next transition: Size: Algorithm: CKA_ID:                          Repository: KeyTag:
cacert.net                      KSK      retire    2016-07-18 23:50:01      2048  7          35be9c4ac39a73e3e9f028ef7eff5f9c SoftHSM     32509
cacert.net                      KSK      retire    2016-07-18 23:50:01      2048  7          e3142e3ba1b64e60c21d84e11560dda3 SoftHSM     29296
cacert.net                      ZSK      retire    waiting for ds-retract   1024  7          76a8f7379194d85a45fb3cf01f68e419 SoftHSM     13284
cacert.net                      ZSK      retire    2016-07-18 23:50:01      1024  7          7fa3a16e9d31fe19b7340ee3285d8c71 SoftHSM     11318
cacert.net                      KSK      active    2016-07-18 23:50:01      2048  7          c6e74584b7803337b29565c66c61334c SoftHSM     330
cacert.net                      ZSK      ready     2016-07-18 23:50:01      1024  7          bf100449261822f2083234e1739374ad SoftHSM     44043
key list completed in 0 seconds.
Daemon exit code: 0

More information about the Opendnssec-user mailing list