[Opendnssec-user] ods 2.0.1 ZSK roll-over problem

Fred.Zwarts F.Zwarts at KVI.nl
Tue Oct 4 09:06:43 UTC 2016

Hi Yuri,

Is there any progress on this matter? I have a strong impression that the 
problem is not (only) caused by migration problems. It seems to happen 
always if a standby ZSK is configured. When after some days of changing keys 
states the system enters a more stable situation, then I see that there are 
two active ZSKs. Both ZSKs have the <Publish/> attribute in the signer 
configuration and both of them are found in the signed zone, although only 
one is used in the RRSIG records. (So, it would be better if the enforcer 
would show one as active and the other one as ready, but that is a minor 
When I force a ZSK roll-over, then both ZSKs go to the retire state and a 
new ZSK goes to the publish and later to the ready state. But only one of 
the retiring ZSKs is still present in the signed zone and unfortunately, it 
is the wrong one, the one that is not used in the RRSIG records. So, there 
are then many RRSIG records using an ZSK that is no longer present in the 
signed zone.

When I set standby to 0, then after some days only one ZSK is left in the 
active state. If I then force a roll-over no problem is seen. The retiring 
ZSK stays in the signed zone untill all RRSIG records using this ZSK have 
been replaced. During the transition, there is no active ZSK, but one ZSK is 
in the retire state and the new ZSK is in the publish or ready state. (I 
would expect already an active state, but that is a minor problem.) During 
the transition the ZSKs used in the RRSIG are always present in the signed 

So, I have now set standby to 0, hoping that this will avoid further 

I wonder if you can reproduce this problem with standby ZSKs?


"Fred.Zwarts"  schreef in bericht news:nsar1v$2af$1 at blaine.gmane.org...

Hi Yuri,

I have been away a few days, so sorry for the late response.

I am not sure that your diagnosis is the whole story.

We have had two cases of this problem. In the first case your diagnosis may
apply, because it happened rather soon after the migration. However, at the
moment of the migration, there was no roll-over in progress, but there were
two KSKs (one active, one standby) and two ZSKs (one active, one standby).
Soon (two days) after the migration a scheduled ZSK roll-over started.

The second case, on a different system, however, (from which I sent you the
database) happened when ods had been running for about one month. There were
no keys left from the migration, because a KSK and a ZSK roll-over had
completed already. At that moment there was one KSK and there was one active
ZSK and one ready (standby) ZSK. Then I forced a ZSK roll-over. So, I still
think that the problem is not (only) the migration, but also the use of a
standby ZSK.

But, anyhow, it is good to make sure the signer doesn't keep signatures of a
key that is no longer active or publish.
But the question remains: what should the signer do if there are no ZSKs
active of publish?
We now have the situation with two retiring ZSKs and one ready ZSK.
How long do we have to wait, till the ready ZSK will become active?

Thanks, for your help,

"Yuri Schaeffer"  schreef in bericht
news:2c127074-c0c2-2132-6da0-0fe173054fee at nlnetlabs.nl...

Hi Fred,

Thanks for sharing the data, I now understand what has happened. The
root cause must have been an error in the migration script. I'll write
it down in detail so you can verify your part of the events.

1) Before migration there where two ZSKs in a rollover. Lets call those
ZSK1(old) and ZSK2(new).

2) migration script was executed. ZSK2 was wrongfully marked as entirely
propagated. (but in fact only some of the signatures where generated
with this key)

3) enforcer ran, concluded ZSK1 could be removed, instructed the signer
to stop publishing the DNSKEY of ZSK1. But the signer kept reusing
signatures of this key.

4) Now the user issued a rollover to ZSK3 to fix the situation. But now
we are in a situation where we still have signatures from ZSK1 and ZSK2.
Both will be replaced by signatures of ZSK3 over the course of 14 days.
(signature validity in KASP).

To come out of this situation you could issue a
ods-signer clear kvi.nl
All signatures will then be regenerated at the next sign run. All of
them with ZSK3

For us to do:
1) Fix migration script to better recognise current rollover.
2) Make sure the signer doesn't keep signatures of a key that is no
longer active or publish.


Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org

More information about the Opendnssec-user mailing list