[Opendnssec-user] ods 2.0.1 ZSK roll-over problem

Fred.Zwarts F.Zwarts at KVI.nl
Thu Sep 22 14:11:00 UTC 2016


I have attached the signconf file for the domain and the complete signed 
zone file.
In the zone file, there are a lot of records signed with the ZSK with KeyTag 
30271, but there is no DNSKEY with this tag in the zone.
In the signconf file this key has no <Publish\> in its section.
Note, this is not the key starting with 63b58..., but with d5104...
I hope that this helps to find the cause of the problem.
I think option 1) is the most probable one.

"Yuri Schaeffer"  schreef in bericht 
news:dc5e47c4-7701-f695-6207-4e193ea0d29f at nlnetlabs.nl...

Hi Fred,

We are currently in the process of finding out why the retired ZSK after
the migration gets unpublished to fast. It seems an issue in the
migration script. Working on it.

This issue seems unrelated. Judging from the output the old ZSK DNSKEY
is still being published in the DNSKEY set. At least what the enforcer
is concerned:

> Zone:                           Key role:     DS:          DNSKEY: 
> RRSIGDNSKEY: RRSIG:       Pub: Act: Id:
> KVI.nl                          ZSK           NA           hidden       NA 
> hidden       0    0    d5104974928d9d3b962efe9cdb0d423c
> KVI.nl                          ZSK           NA           omnipresent  NA 
> unretentive  1    0    63b58e329df2a6bfa09671425146b72d
> KVI.nl                          ZSK           NA           omnipresent  NA 
> rumoured     1    1    0ef4982714ed47c4cf84c87e62c38890

> Zone:                           Keytype: State:    Date of next 
> transition: Size: Algorithm: CKA_ID:                          Repository: 
> KeyTag:
> KVI.nl                          ZSK      retire    2016-10-05 00:29:43 
> 1024  8          d5104974928d9d3b962efe9cdb0d423c SoftHSM     30271
> KVI.nl                          ZSK      retire    2016-10-05 00:29:43 
> 1024  8          63b58e329df2a6bfa09671425146b72d SoftHSM     20904
> KVI.nl                          ZSK      ready     2016-10-05 00:29:43 
> 1024  8          0ef4982714ed47c4cf84c87e62c38890 SoftHSM     13143

Notice the "Pub" flag on key 63b58e329df2a6bfa09671425146b72d and

The signer should include both keys in the set. 2 things could be happening:

1) A bug in the enforcer where it outputs the wrong signconf. Please
check the entry for the 63b58e329df2a6bfa09671425146b72d key in the
signconf. it should have a <ZSK/> element.

2) A bug in the signer where it fails to include the DNSKEY. I find this
unlikely. Since it is explicitly told to do so and this code did not see
many changes for quite a while.

(3) I almost don't dare to mention it: The DNSKEY is overlooked in the
signed file. It looks like the above mentioned problem of the faulty
migration and having no key in the 'active' is confusing?


Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: KVI.nl.xml
Type: text/xml
Size: 1397 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160922/777b9f1f/attachment.xml>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kvi.zone
Type: application/octet-stream
Size: 1348183 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160922/777b9f1f/attachment.obj>

More information about the Opendnssec-user mailing list