[Opendnssec-user] ods 2.0.1 ZSK roll-over problem
Yuri Schaeffer
yuri at nlnetlabs.nl
Mon Sep 19 08:15:41 UTC 2016
Hi Fred,
Can you send me the output of:
ods-enforcer key list -d
If possible, can you send me off list your kasp.db (assuming sqlite),
your kasp.xml. and the produced signconf for that zone? Then I can see
if it is perhaps I migration related issue.
Regards,
Yuri
On 16-09-16 22:38, Fred Zwarts, KVI, Groningen wrote:
> We have ods 2.0.1 running for some time, but now a ZSK roll-over is
> giving a problem.
> Currently the situation is as follows:
>
> # ods-enforcer key list --verbose
> Keys:
> Zone: Keytype: State: Date of next
> transition: Size: Algorithm: CKA_ID:
> Repository: KeyTag:
> KVI.nl KSK retire 2016-09-17 11:00:06
> 2048 8 d70448361bf9ded4888de4bb681a9963 SoftHSM 23384
> KVI.nl ZSK retire 2016-09-17 11:00:06
> 1024 8 664dd2e6d61153c53f99ac2dcafddbda SoftHSM 31771
> KVI.nl KSK active 2016-09-17 11:00:06
> 2048 8 333e0824ef6fc70c2729b02a88be92c7 SoftHSM 61849
> KVI.nl ZSK retire 2016-09-17 11:00:06
> 1024 8 6d31f5b7f2db0bc65fcb35f60ecceb1e SoftHSM 15381
> KVI.nl ZSK ready 2016-09-17 11:00:06
> 1024 8 3c246656cd56b7cfd5294f5cb8e02229 SoftHSM 43923
> key list completed in 0 seconds.
>
> Parts from the signed zone as written by ods:
>
> kvi.nl. 86400 IN SOA dns1.kvi.nl. hostmaster.kvi.nl.
> 2016091613 43200 3600 345600 10800
> kvi.nl. 86400 IN RRSIG SOA 8 2 86400 20160930151204
> 20160916173547 43923 KVI.nl.
> a1quYQgmEnAmt2BUdt3PAcEQ4mFCoLIULLEKKoICataE7OuXAbdhfjE9hT0nJeJPiLm6jmJmyj6fM2PwEb9DHS+PMulUc1L
>
> snwayUoylsXm0HUFiAvG7+/tt2UYgybGCrXYWrrTJuu/VxMPSb4Qy5uEdwfEQRKs5w5Aeqci7aUQ=
>
> kvi.nl. 3600 IN DNSKEY 257 3 8
> AwEAAb9i0ycPgnT71XuBrWg7XuvEcUcmhLsWtXsO/vmg3xpWiYR1wW15rEMvloZ7Bl7O4/42to8GlQHx0yY1r1Kx4mkFtH6Mol31QXE8vwk4JaG7dW3UJKCWAjLD2mrBhp0umzDQK5dlkE+9o
>
> m0sjcz2aUASNAQqwh38qOl8+3jNGbfjaw9MGK1WMYRv805NGGgPnmQ1BoB/4d99nhzqAfAWLWRLCoxD2FWjbUm+cQCft+YMtzEk46Ua1H/g/0B38E/2A71fUMWfGM5tE0XuArpFc7ri81MAzEHl5gsYGgn4QnGlsg8ip0wFZns/1NndgXpnjMlSel
>
> vp4EEC8RCBKJ7E5IM= ;{id = 61849 (ksk), size = 2048b}
> kvi.nl. 3600 IN DNSKEY 256 3 8
> AwEAAbuEIkm1DbfRGZVFEfJ2BfD2h1us5RD85wTAZpXI9UfHpEjj86ApLn4uctHza1/ekkNAwy4aOgsz+TxLrvAhfKLfQL17q44ty6PDw8jQcinA8LIqB9xo9umvVagCHQeTTkoTRdHjh3DLQ
>
> Fw9ice4N+7emoi+NTtTEa5pg9r1L41X ;{id = 43923 (zsk), size = 1024b}
> kvi.nl. 3600 IN RRSIG DNSKEY 8 2 3600 20160930105859
> 20160916140006 61849 KVI.nl.
> LB2yvkZT3+8gKzLYlnlrhxbCmugYAe0R4mICsodskbBJaRDZUncObYJZv8a4ogZo6IIwswHj8EfwzofW6ZXfcrXAymNYQ
>
> adD38Iht7Xc2S3axpAwZ2jKA/CnlBI9trB4WIwb8zLBbH1sCKrFIofa+2r8h1J2Gv6AU7hjbLHK5dCMP7MlkqO54t9ENDqC6AgvKMn6/miw7xrI+9hK6VLvxjv/zQddWa8S+EX8waYVUC9sZI2f2SYWVgS3xAkOyn0PXyr7/mZ6llssSLJ7UZ9AGB
>
> sitpJpimw+1FqjiX5jls4tr8VsSONhsb+a7v/d8n5EoPgCwuhUT8viJxoSFcm5Iw==
>
> kvi.nl. 86400 IN NS dns1.kvi.nl.
> kvi.nl. 86400 IN NS dns2.kvi.nl.
> kvi.nl. 86400 IN NS dwalin.nikhef.nl.
> kvi.nl. 86400 IN RRSIG NS 8 2 86400 20160929021424
> 20160914141121 31771 KVI.nl.
> xmrTUJo4xM9vzhah0tQ1sPoEub2KEajKEjUjgrKCXNFsdmrVge/3iP8rpcjukSxOXQ4zHTGprFKxzyBFgWtkzZRQHX9dD/DI
>
> iLIWoJ2Wh1xKTfWSTydmrP5C3E7HR6y6fEZqJ16p6Wu/eAjbf3yPcRKHLXePWjbNFVXVrbuycw4=
>
>
> The retiring keys are not present in the zone.
>
>
> The retiring KSK is the old backup KSK from ods 1.4.10.
> One of the retiring ZSK is the old backup ZSK from ods 1.4.10.
> The other retiring ZSK is the old active ZSK.
> The ready ZSK is the new ZSK. However, there is no active ZSK.
>
> The ready ZSK is used to sign the SOA record, but the retiring ZSK 31771
> is still used to sign other records, but it is not present in the zone.
> So, now many of the records do not have a validated signature.
> Any idea how this can be solved? Will the ready key become active at the
> next transition?
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160919/fb3aa5fb/attachment.bin>
More information about the Opendnssec-user
mailing list