[Opendnssec-user] ods 2.0.1 ZSK roll-over problem

Yuri Schaeffer yuri at nlnetlabs.nl
Mon Sep 19 08:15:41 UTC 2016 

Hi Fred,

Can you send me the output of:
	ods-enforcer key list -d

If possible, can you send me off list your kasp.db (assuming sqlite),
your kasp.xml. and the produced signconf for that zone? Then I can see
if it is perhaps I migration related issue.

Regards,
Yuri

On 16-09-16 22:38, Fred Zwarts, KVI, Groningen wrote:
> We have ods 2.0.1 running  for some time, but now a ZSK roll-over is
> giving a problem.
> Currently the situation is as follows:
> 
> # ods-enforcer key list --verbose
> Keys:
> Zone:                           Keytype: State:    Date of next
> transition: Size: Algorithm: CKA_ID:                         
> Repository: KeyTag:
> KVI.nl                          KSK      retire    2016-09-17 11:00:06
> 2048  8          d70448361bf9ded4888de4bb681a9963 SoftHSM     23384
> KVI.nl                          ZSK      retire    2016-09-17 11:00:06
> 1024  8          664dd2e6d61153c53f99ac2dcafddbda SoftHSM     31771
> KVI.nl                          KSK      active    2016-09-17 11:00:06
> 2048  8          333e0824ef6fc70c2729b02a88be92c7 SoftHSM     61849
> KVI.nl                          ZSK      retire    2016-09-17 11:00:06
> 1024  8          6d31f5b7f2db0bc65fcb35f60ecceb1e SoftHSM     15381
> KVI.nl                          ZSK      ready     2016-09-17 11:00:06
> 1024  8          3c246656cd56b7cfd5294f5cb8e02229 SoftHSM     43923
> key list completed in 0 seconds.
> 
> Parts from the signed zone as written by ods:
> 
> kvi.nl. 86400   IN      SOA     dns1.kvi.nl. hostmaster.kvi.nl.
> 2016091613 43200 3600 345600 10800
> kvi.nl. 86400   IN      RRSIG   SOA 8 2 86400 20160930151204
> 20160916173547 43923 KVI.nl.
> a1quYQgmEnAmt2BUdt3PAcEQ4mFCoLIULLEKKoICataE7OuXAbdhfjE9hT0nJeJPiLm6jmJmyj6fM2PwEb9DHS+PMulUc1L
> 
> snwayUoylsXm0HUFiAvG7+/tt2UYgybGCrXYWrrTJuu/VxMPSb4Qy5uEdwfEQRKs5w5Aeqci7aUQ=
> 
> kvi.nl. 3600    IN      DNSKEY  257 3 8
> AwEAAb9i0ycPgnT71XuBrWg7XuvEcUcmhLsWtXsO/vmg3xpWiYR1wW15rEMvloZ7Bl7O4/42to8GlQHx0yY1r1Kx4mkFtH6Mol31QXE8vwk4JaG7dW3UJKCWAjLD2mrBhp0umzDQK5dlkE+9o
> 
> m0sjcz2aUASNAQqwh38qOl8+3jNGbfjaw9MGK1WMYRv805NGGgPnmQ1BoB/4d99nhzqAfAWLWRLCoxD2FWjbUm+cQCft+YMtzEk46Ua1H/g/0B38E/2A71fUMWfGM5tE0XuArpFc7ri81MAzEHl5gsYGgn4QnGlsg8ip0wFZns/1NndgXpnjMlSel
> 
> vp4EEC8RCBKJ7E5IM= ;{id = 61849 (ksk), size = 2048b}
> kvi.nl. 3600    IN      DNSKEY  256 3 8
> AwEAAbuEIkm1DbfRGZVFEfJ2BfD2h1us5RD85wTAZpXI9UfHpEjj86ApLn4uctHza1/ekkNAwy4aOgsz+TxLrvAhfKLfQL17q44ty6PDw8jQcinA8LIqB9xo9umvVagCHQeTTkoTRdHjh3DLQ
> 
> Fw9ice4N+7emoi+NTtTEa5pg9r1L41X ;{id = 43923 (zsk), size = 1024b}
> kvi.nl. 3600    IN      RRSIG   DNSKEY 8 2 3600 20160930105859
> 20160916140006 61849 KVI.nl.
> LB2yvkZT3+8gKzLYlnlrhxbCmugYAe0R4mICsodskbBJaRDZUncObYJZv8a4ogZo6IIwswHj8EfwzofW6ZXfcrXAymNYQ
> 
> adD38Iht7Xc2S3axpAwZ2jKA/CnlBI9trB4WIwb8zLBbH1sCKrFIofa+2r8h1J2Gv6AU7hjbLHK5dCMP7MlkqO54t9ENDqC6AgvKMn6/miw7xrI+9hK6VLvxjv/zQddWa8S+EX8waYVUC9sZI2f2SYWVgS3xAkOyn0PXyr7/mZ6llssSLJ7UZ9AGB
> 
> sitpJpimw+1FqjiX5jls4tr8VsSONhsb+a7v/d8n5EoPgCwuhUT8viJxoSFcm5Iw==
> 
> kvi.nl. 86400   IN      NS      dns1.kvi.nl.
> kvi.nl. 86400   IN      NS      dns2.kvi.nl.
> kvi.nl. 86400   IN      NS      dwalin.nikhef.nl.
> kvi.nl. 86400   IN      RRSIG   NS 8 2 86400 20160929021424
> 20160914141121 31771 KVI.nl.
> xmrTUJo4xM9vzhah0tQ1sPoEub2KEajKEjUjgrKCXNFsdmrVge/3iP8rpcjukSxOXQ4zHTGprFKxzyBFgWtkzZRQHX9dD/DI
> 
> iLIWoJ2Wh1xKTfWSTydmrP5C3E7HR6y6fEZqJ16p6Wu/eAjbf3yPcRKHLXePWjbNFVXVrbuycw4=
> 
> 
> The retiring keys are not present in the zone.
> 
> 
> The retiring KSK is the old backup KSK from ods 1.4.10.
> One of the retiring ZSK is the old backup ZSK from ods 1.4.10.
> The other retiring ZSK is the old active ZSK.
> The ready ZSK is the new ZSK. However, there is no active ZSK.
> 
> The ready ZSK is used to sign the SOA record, but the retiring ZSK 31771
> is still used to sign other records, but it is not present in the zone.
> So, now many of the records do not have a validated signature.
> Any idea how this can be solved? Will the ready key become active at the
> next transition?
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160919/fb3aa5fb/attachment.bin>

More information about the Opendnssec-user mailing list