[Opendnssec-user] ods 2.0.1 ZSK roll-over problem
Fred.Zwarts
F.Zwarts at KVI.nl
Thu Sep 22 14:11:00 UTC 2016
Hi,
I have attached the signconf file for the domain and the complete signed
zone file.
In the zone file, there are a lot of records signed with the ZSK with KeyTag
30271, but there is no DNSKEY with this tag in the zone.
In the signconf file this key has no <Publish\> in its section.
Note, this is not the key starting with 63b58..., but with d5104...
I hope that this helps to find the cause of the problem.
I think option 1) is the most probable one.
"Yuri Schaeffer" schreef in bericht
news:dc5e47c4-7701-f695-6207-4e193ea0d29f at nlnetlabs.nl...
Hi Fred,
We are currently in the process of finding out why the retired ZSK after
the migration gets unpublished to fast. It seems an issue in the
migration script. Working on it.
This issue seems unrelated. Judging from the output the old ZSK DNSKEY
is still being published in the DNSKEY set. At least what the enforcer
is concerned:
> Zone: Key role: DS: DNSKEY:
> RRSIGDNSKEY: RRSIG: Pub: Act: Id:
> KVI.nl ZSK NA hidden NA
> hidden 0 0 d5104974928d9d3b962efe9cdb0d423c
> KVI.nl ZSK NA omnipresent NA
> unretentive 1 0 63b58e329df2a6bfa09671425146b72d
> KVI.nl ZSK NA omnipresent NA
> rumoured 1 1 0ef4982714ed47c4cf84c87e62c38890
> Zone: Keytype: State: Date of next
> transition: Size: Algorithm: CKA_ID: Repository:
> KeyTag:
> KVI.nl ZSK retire 2016-10-05 00:29:43
> 1024 8 d5104974928d9d3b962efe9cdb0d423c SoftHSM 30271
> KVI.nl ZSK retire 2016-10-05 00:29:43
> 1024 8 63b58e329df2a6bfa09671425146b72d SoftHSM 20904
> KVI.nl ZSK ready 2016-10-05 00:29:43
> 1024 8 0ef4982714ed47c4cf84c87e62c38890 SoftHSM 13143
Notice the "Pub" flag on key 63b58e329df2a6bfa09671425146b72d and
0ef4982714ed47c4cf84c87e62c38890.
The signer should include both keys in the set. 2 things could be happening:
1) A bug in the enforcer where it outputs the wrong signconf. Please
check the entry for the 63b58e329df2a6bfa09671425146b72d key in the
signconf. it should have a <ZSK/> element.
2) A bug in the signer where it fails to include the DNSKEY. I find this
unlikely. Since it is explicitly told to do so and this code did not see
many changes for quite a while.
(3) I almost don't dare to mention it: The DNSKEY is overlooked in the
signed file. It looks like the above mentioned problem of the faulty
migration and having no key in the 'active' is confusing?
//Yuri
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-------------- next part --------------
A non-text attachment was scrubbed...
Name: KVI.nl.xml
Type: text/xml
Size: 1397 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160922/777b9f1f/attachment.xml>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kvi.zone
Type: application/octet-stream
Size: 1348183 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160922/777b9f1f/attachment.obj>
More information about the Opendnssec-user
mailing list