[Opendnssec-user] End-of-life OpenDNSSEC 1.3 on 2017-07-11

Wytze van der Raay wytze at deboca.net
Mon Jul 18 15:58:26 UTC 2016

Hi Yuri,

On 07/18/2016 05:02 PM, Yuri Schaeffer wrote:
> I found a couple of errors in the migration script. Causing confusion in
> the enforcer about the role of a key (ksk/zsk). I would advice you to
> run the migration again but since you are live that might not be feasible.

Not really ... too many things have been changed already since.

> If you are adventurous we could try to patch your database? Assuming you
> are. Lets do this:

OK, a little bit, so I tried this.

> - stop opendnssec entirely
> - backup your kasp.db
> - run the following queries on your db:
> UPDATE keyData
> SET dsatparent = 0
> WHERE role = 2;
> UPDATE keyState
> SET state = 4
> WHERE (keyState.type = 0 OR keyState.type = 3) AND keyDataId IN (
>        SELECT keyData.id
>        FROM keyData
>        WHERE keyData.role = 2);
> UPDATE keyState
> SET state = 4
> WHERE keyState.type = 1 AND keyDataId IN (
>        SELECT keyData.id
>        FROM keyData
>        WHERE keyData.role = 1);
> This should get rid of those pesky ds-submit messages for ZSKs. And
> prevent premature rollovers.

Yes, the key states look a lot more reasonable now indeed. But it has
also managed to break my cacert.net zone again, just for a while I hope.
That zone is now signed by a retired ZSK, which is not in the zone file
anymore, while the formerly active ZSK is now in the 'ready' state,
which will hopefully change to 'active' at 2016-07-19 00:06:09.

> - start ODS back up
> - Make sure the enforcer processed all zones. If needed run ods-enforcer
> enforce; ods-enforcer signconf (we want to make sure it writes a new
> signconf even if it thinks there is nothing to do);

(I did all of that)

>> Well, after waiting a day, a somewhat friendlier solution has presented
>> itself. After exoiry of a timer for the newly created KSK 330, the
>> ods-enforcer key export -d *did* actually give me the DS records for
>> KSK 330 (and some other useless ones). After uploading these DS records
>> to the registrar, the zone did come back to life, and is basically
>> looking healthy now.
>> Still, this is not a feasible method to repair my other zones, since
>> I don't want to see them die DNSSEC-wise, while waiting for the timer
>> to expire. Only after that (many hours later) ods-enforcer key export -d
>> will finally give me the desired DS records.
> I expect after fixing the DB this will give you correct results.

Not really, for the cacert.net zone *nothing* is exported (might be
considered reasonable since the current KSK has already been uploaded),
but for the cacert.com zone ODS continues to export useless retired
records (all KSK now, that's a minor improvement I guess). Which means
I still have to wait until tomorrow morning before I can export the DS
of the new KSK which is still in 'publish' state ... but cannot be
published lacking the DS :-(

-- wytze

More information about the Opendnssec-user mailing list