[Opendnssec-user] ods 2.0.1 ZSK roll-over problem

Yuri Schaeffer yuri at nlnetlabs.nl
Fri Sep 23 09:42:26 UTC 2016

Hi Fred,

Thanks for sharing the data, I now understand what has happened. The
root cause must have been an error in the migration script. I'll write
it down in detail so you can verify your part of the events.

1) Before migration there where two ZSKs in a rollover. Lets call those
ZSK1(old) and ZSK2(new).

2) migration script was executed. ZSK2 was wrongfully marked as entirely
propagated. (but in fact only some of the signatures where generated
with this key)

3) enforcer ran, concluded ZSK1 could be removed, instructed the signer
to stop publishing the DNSKEY of ZSK1. But the signer kept reusing
signatures of this key.

4) Now the user issued a rollover to ZSK3 to fix the situation. But now
we are in a situation where we still have signatures from ZSK1 and ZSK2.
Both will be replaced by signatures of ZSK3 over the course of 14 days.
(signature validity in KASP).

To come out of this situation you could issue a
	ods-signer clear kvi.nl
All signatures will then be regenerated at the next sign run. All of
them with ZSK3

For us to do:
1) Fix migration script to better recognise current rollover.
2) Make sure the signer doesn't keep signatures of a key that is no
longer active or publish.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160923/d87906c8/attachment.bin>

More information about the Opendnssec-user mailing list