[Opendnssec-user] ods 2.0.1 ZSK roll-over problem

Fred.Zwarts F.Zwarts at KVI.nl
Mon Sep 26 09:51:03 UTC 2016

Hi Yuri,

I have been away a few days, so sorry for the late response.

I am not sure that your diagnosis is the whole story.

We have had two cases of this problem. In the first case your diagnosis may 
apply, because it happened rather soon after the migration. However, at the 
moment of the migration, there was no roll-over in progress, but there were 
two KSKs (one active, one standby) and two ZSKs (one active, one standby). 
Soon (two days) after the migration a scheduled ZSK roll-over started.

The second case, on a different system, however, (from which I sent you the 
database) happened when ods had been running for about one month. There were 
no keys left from the migration, because a KSK and a ZSK roll-over had 
completed already. At that moment there was one KSK and there was one active 
ZSK and one ready (standby) ZSK. Then I forced a ZSK roll-over. So, I still 
think that the problem is not (only) the migration, but also the use of a 
standby ZSK.

But, anyhow, it is good to make sure the signer doesn't keep signatures of a 
key that is no longer active or publish.
But the question remains: what should the signer do if there are no ZSKs 
active of publish?
We now have the situation with two retiring ZSKs and one ready ZSK.
How long do we have to wait, till the ready ZSK will become active?

Thanks, for your help,

"Yuri Schaeffer"  schreef in bericht 
news:2c127074-c0c2-2132-6da0-0fe173054fee at nlnetlabs.nl...

Hi Fred,

Thanks for sharing the data, I now understand what has happened. The
root cause must have been an error in the migration script. I'll write
it down in detail so you can verify your part of the events.

1) Before migration there where two ZSKs in a rollover. Lets call those
ZSK1(old) and ZSK2(new).

2) migration script was executed. ZSK2 was wrongfully marked as entirely
propagated. (but in fact only some of the signatures where generated
with this key)

3) enforcer ran, concluded ZSK1 could be removed, instructed the signer
to stop publishing the DNSKEY of ZSK1. But the signer kept reusing
signatures of this key.

4) Now the user issued a rollover to ZSK3 to fix the situation. But now
we are in a situation where we still have signatures from ZSK1 and ZSK2.
Both will be replaced by signatures of ZSK3 over the course of 14 days.
(signature validity in KASP).

To come out of this situation you could issue a
ods-signer clear kvi.nl
All signatures will then be regenerated at the next sign run. All of
them with ZSK3

For us to do:
1) Fix migration script to better recognise current rollover.
2) Make sure the signer doesn't keep signatures of a key that is no
longer active or publish.


Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org

More information about the Opendnssec-user mailing list