[Opendnssec-user] ods 2.0.1 ZSK roll-over problem

Fred.Zwarts F.Zwarts at KVI.nl
Thu Sep 22 08:00:31 UTC 2016 

I forced another ZSK roll-over on our test system and the same problem 
popped up.
There are now two retiring ZSKs and one ready ZSK, but no active ZSK.
In the zone file, many records are still signed with the retiring ZSK. 
However, this ZSK itself is no longer in the signed zone file.
Could it be that the option <Standby>1</Standby> causes these problems?
I know it is experimental, but it worked well in 1.4.10.

"Yuri Schaeffer"  schreef in bericht 
news:84b78896-1d8a-aadb-2628-672f977cf575 at nlnetlabs.nl...

Hi Fred,

Can you send me the output of:
ods-enforcer key list -d

If possible, can you send me off list your kasp.db (assuming sqlite),
your kasp.xml. and the produced signconf for that zone? Then I can see
if it is perhaps I migration related issue.

Regards,
Yuri

On 16-09-16 22:38, Fred Zwarts, KVI, Groningen wrote:
> We have ods 2.0.1 running  for some time, but now a ZSK roll-over is
> giving a problem.
> Currently the situation is as follows:
>
> # ods-enforcer key list --verbose
> Keys:
> Zone:                           Keytype: State:    Date of next
> transition: Size: Algorithm: CKA_ID:
> Repository: KeyTag:
> KVI.nl                          KSK      retire    2016-09-17 11:00:06
> 2048  8          d70448361bf9ded4888de4bb681a9963 SoftHSM     23384
> KVI.nl                          ZSK      retire    2016-09-17 11:00:06
> 1024  8          664dd2e6d61153c53f99ac2dcafddbda SoftHSM     31771
> KVI.nl                          KSK      active    2016-09-17 11:00:06
> 2048  8          333e0824ef6fc70c2729b02a88be92c7 SoftHSM     61849
> KVI.nl                          ZSK      retire    2016-09-17 11:00:06
> 1024  8          6d31f5b7f2db0bc65fcb35f60ecceb1e SoftHSM     15381
> KVI.nl                          ZSK      ready     2016-09-17 11:00:06
> 1024  8          3c246656cd56b7cfd5294f5cb8e02229 SoftHSM     43923
> key list completed in 0 seconds.
>
> Parts from the signed zone as written by ods:
>
> kvi.nl. 86400   IN      SOA     dns1.kvi.nl. hostmaster.kvi.nl.
> 2016091613 43200 3600 345600 10800
> kvi.nl. 86400   IN      RRSIG   SOA 8 2 86400 20160930151204
> 20160916173547 43923 KVI.nl.
> a1quYQgmEnAmt2BUdt3PAcEQ4mFCoLIULLEKKoICataE7OuXAbdhfjE9hT0nJeJPiLm6jmJmyj6fM2PwEb9DHS+PMulUc1L
>
> snwayUoylsXm0HUFiAvG7+/tt2UYgybGCrXYWrrTJuu/VxMPSb4Qy5uEdwfEQRKs5w5Aeqci7aUQ=
>
> kvi.nl. 3600    IN      DNSKEY  257 3 8
> AwEAAb9i0ycPgnT71XuBrWg7XuvEcUcmhLsWtXsO/vmg3xpWiYR1wW15rEMvloZ7Bl7O4/42to8GlQHx0yY1r1Kx4mkFtH6Mol31QXE8vwk4JaG7dW3UJKCWAjLD2mrBhp0umzDQK5dlkE+9o
>
> m0sjcz2aUASNAQqwh38qOl8+3jNGbfjaw9MGK1WMYRv805NGGgPnmQ1BoB/4d99nhzqAfAWLWRLCoxD2FWjbUm+cQCft+YMtzEk46Ua1H/g/0B38E/2A71fUMWfGM5tE0XuArpFc7ri81MAzEHl5gsYGgn4QnGlsg8ip0wFZns/1NndgXpnjMlSel
>
> vp4EEC8RCBKJ7E5IM= ;{id = 61849 (ksk), size = 2048b}
> kvi.nl. 3600    IN      DNSKEY  256 3 8
> AwEAAbuEIkm1DbfRGZVFEfJ2BfD2h1us5RD85wTAZpXI9UfHpEjj86ApLn4uctHza1/ekkNAwy4aOgsz+TxLrvAhfKLfQL17q44ty6PDw8jQcinA8LIqB9xo9umvVagCHQeTTkoTRdHjh3DLQ
>
> Fw9ice4N+7emoi+NTtTEa5pg9r1L41X ;{id = 43923 (zsk), size = 1024b}
> kvi.nl. 3600    IN      RRSIG   DNSKEY 8 2 3600 20160930105859
> 20160916140006 61849 KVI.nl.
> LB2yvkZT3+8gKzLYlnlrhxbCmugYAe0R4mICsodskbBJaRDZUncObYJZv8a4ogZo6IIwswHj8EfwzofW6ZXfcrXAymNYQ
>
> adD38Iht7Xc2S3axpAwZ2jKA/CnlBI9trB4WIwb8zLBbH1sCKrFIofa+2r8h1J2Gv6AU7hjbLHK5dCMP7MlkqO54t9ENDqC6AgvKMn6/miw7xrI+9hK6VLvxjv/zQddWa8S+EX8waYVUC9sZI2f2SYWVgS3xAkOyn0PXyr7/mZ6llssSLJ7UZ9AGB
>
> sitpJpimw+1FqjiX5jls4tr8VsSONhsb+a7v/d8n5EoPgCwuhUT8viJxoSFcm5Iw==
>
> kvi.nl. 86400   IN      NS      dns1.kvi.nl.
> kvi.nl. 86400   IN      NS      dns2.kvi.nl.
> kvi.nl. 86400   IN      NS      dwalin.nikhef.nl.
> kvi.nl. 86400   IN      RRSIG   NS 8 2 86400 20160929021424
> 20160914141121 31771 KVI.nl.
> xmrTUJo4xM9vzhah0tQ1sPoEub2KEajKEjUjgrKCXNFsdmrVge/3iP8rpcjukSxOXQ4zHTGprFKxzyBFgWtkzZRQHX9dD/DI
>
> iLIWoJ2Wh1xKTfWSTydmrP5C3E7HR6y6fEZqJ16p6Wu/eAjbf3yPcRKHLXePWjbNFVXVrbuycw4=
>
>
> The retiring keys are not present in the zone.
>
>
> The retiring KSK is the old backup KSK from ods 1.4.10.
> One of the retiring ZSK is the old backup ZSK from ods 1.4.10.
> The other retiring ZSK is the old active ZSK.
> The ready ZSK is the new ZSK. However, there is no active ZSK.
>
> The ready ZSK is used to sign the SOA record, but the retiring ZSK 31771
> is still used to sign other records, but it is not present in the zone.
> So, now many of the records do not have a validated signature.
> Any idea how this can be solved? Will the ready key become active at the
> next transition?

More information about the Opendnssec-user mailing list