[Opendnssec-user] ods 2.0.1 ZSK roll-over problem

Fred.Zwarts F.Zwarts at KVI.nl
Thu Sep 22 08:38:50 UTC 2016 

# ods-enforcer key list -d
Keys:
Zone:                           Key role:     DS:          DNSKEY: 
RRSIGDNSKEY: RRSIG:       Pub: Act: Id:
40.125.129.in-addr.arpa         KSK           omnipresent  omnipresent 
omnipresent  NA           1    1    956d1b9309f7db3f5dd407c5a2153d64
56.125.129.in-addr.arpa         KSK           omnipresent  omnipresent 
omnipresent  NA           1    1    d4029c2ca8e7c952bd091a8c26368769
81.125.129.in-addr.arpa         KSK           omnipresent  omnipresent 
omnipresent  NA           1    1    f2c94f383a7e678a6828e62f8b13ebd6
0.6.0.0.8.0.a.1.0.1.6.0.1.0.0.2.ip6.arpa KSK           omnipresent 
omnipresent  omnipresent  NA           1    1 
5c7cad2b7f74ca4deb3ed7e85cef753d
37.125.129.in-addr.arpa         KSK           omnipresent  omnipresent 
omnipresent  NA           1    1    ce20f66ea4acc883fd1268e06d85f379
81.125.129.in-addr.arpa         ZSK           NA           omnipresent  NA 
omnipresent  1    1    df12be2f9455e37f72988c0ec5de9134
0.6.0.0.8.0.a.1.0.1.6.0.1.0.0.2.ip6.arpa ZSK           NA 
omnipresent  NA           omnipresent  1    1 
4ecdf02db5c3fb7cc75f4ed790a48c35
KVI.nl                          ZSK           NA           hidden       NA 
hidden       0    0    d5104974928d9d3b962efe9cdb0d423c
56.125.129.in-addr.arpa         ZSK           NA           omnipresent  NA 
omnipresent  1    1    5caf384ceb8704d78ba171dd26317994
40.125.129.in-addr.arpa         ZSK           NA           omnipresent  NA 
omnipresent  1    1    0db0fe4431642f178a1130330e87420e
27.125.129.in-addr.arpa         KSK           omnipresent  omnipresent 
omnipresent  NA           1    1    ea51bf3290a73b7f69593f7b971c6edb
37.125.129.in-addr.arpa         ZSK           NA           omnipresent  NA 
omnipresent  1    1    b03d9281a6d5337b10081a0a1495efc7
27.125.129.in-addr.arpa         ZSK           NA           omnipresent  NA 
omnipresent  1    1    c59608a2dee24c15f4b520b42e4c6c59
15.125.129.in-addr.arpa         KSK           omnipresent  omnipresent 
omnipresent  NA           1    1    a1fc7f463d0418e31a00452c7f43d613
81.125.129.in-addr.arpa         ZSK           NA           omnipresent  NA 
omnipresent  1    1    e781f75513f9f0298178acb9276b41b0
0.6.0.0.8.0.a.1.0.1.6.0.1.0.0.2.ip6.arpa ZSK           NA 
omnipresent  NA           omnipresent  1    1 
35a44e60dcd7016d324cadbdb25cdd0b
KVI.nl                          ZSK           NA           omnipresent  NA 
unretentive  1    0    63b58e329df2a6bfa09671425146b72d
56.125.129.in-addr.arpa         ZSK           NA           omnipresent  NA 
omnipresent  1    1    a9c86ca62462256f7a199fd54f50423a
40.125.129.in-addr.arpa         ZSK           NA           omnipresent  NA 
omnipresent  1    1    41501fedde3f3380fa05753010f2f022
KVI.nl                          KSK           omnipresent  omnipresent 
omnipresent  NA           1    1    933aa76282968a1212c6dd6de92a5dae
37.125.129.in-addr.arpa         ZSK           NA           omnipresent  NA 
omnipresent  1    1    7caf0a333030e34d5bbb80540ce4a981
27.125.129.in-addr.arpa         ZSK           NA           omnipresent  NA 
omnipresent  1    1    30edff1e19f2d00d9896757ebbae0b71
15.125.129.in-addr.arpa         ZSK           NA           omnipresent  NA 
omnipresent  1    1    b2f99fddb59f1d6190c807cccd219c09
KVI.nl                          ZSK           NA           omnipresent  NA 
rumoured     1    1    0ef4982714ed47c4cf84c87e62c38890
key list completed in 0 seconds.


# ods-enforcer key list --verbose --zone KVI.nl
Keys:
Zone:                           Keytype: State:    Date of next transition: 
Size: Algorithm: CKA_ID:                          Repository: KeyTag:
KVI.nl                          ZSK      retire    2016-10-05 00:29:43 
1024  8          d5104974928d9d3b962efe9cdb0d423c SoftHSM     30271
KVI.nl                          ZSK      retire    2016-10-05 00:29:43 
1024  8          63b58e329df2a6bfa09671425146b72d SoftHSM     20904
KVI.nl                          KSK      active    2016-10-05 00:29:43 
2048  8          933aa76282968a1212c6dd6de92a5dae SoftHSM     38854
KVI.nl                          ZSK      ready     2016-10-05 00:29:43 
1024  8          0ef4982714ed47c4cf84c87e62c38890 SoftHSM     13143
key list completed in 0 seconds.



"Yuri Schaeffer"  schreef in bericht 
news:2d755d83-d90b-7890-4637-32428455267e at nlnetlabs.nl...

> I forced another ZSK roll-over on our test system and the same problem
> popped up.
> There are now two retiring ZSKs and one ready ZSK, but no active ZSK.
> In the zone file, many records are still signed with the retiring ZSK.
> However, this ZSK itself is no longer in the signed zone file.

To debug this I could really use your database or at the very least the
output of
ods-enforcer key list -d

//Yuri

> Could it be that the option <Standby>1</Standby> causes these problems?

unlikely.








_______________________________________________
Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kvi.zone
Type: application/octet-stream
Size: 1348183 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160922/8e9a00b0/attachment.obj>

More information about the Opendnssec-user mailing list