[Opendnssec-user] ods 2.0.1 ZSK roll-over problem
F.Zwarts at KVI.nl
Mon Sep 26 09:51:03 UTC 2016
I have been away a few days, so sorry for the late response.
I am not sure that your diagnosis is the whole story.
We have had two cases of this problem. In the first case your diagnosis may
apply, because it happened rather soon after the migration. However, at the
moment of the migration, there was no roll-over in progress, but there were
two KSKs (one active, one standby) and two ZSKs (one active, one standby).
Soon (two days) after the migration a scheduled ZSK roll-over started.
The second case, on a different system, however, (from which I sent you the
database) happened when ods had been running for about one month. There were
no keys left from the migration, because a KSK and a ZSK roll-over had
completed already. At that moment there was one KSK and there was one active
ZSK and one ready (standby) ZSK. Then I forced a ZSK roll-over. So, I still
think that the problem is not (only) the migration, but also the use of a
But, anyhow, it is good to make sure the signer doesn't keep signatures of a
key that is no longer active or publish.
But the question remains: what should the signer do if there are no ZSKs
active of publish?
We now have the situation with two retiring ZSKs and one ready ZSK.
How long do we have to wait, till the ready ZSK will become active?
Thanks, for your help,
"Yuri Schaeffer" schreef in bericht
news:2c127074-c0c2-2132-6da0-0fe173054fee at nlnetlabs.nl...
Thanks for sharing the data, I now understand what has happened. The
root cause must have been an error in the migration script. I'll write
it down in detail so you can verify your part of the events.
1) Before migration there where two ZSKs in a rollover. Lets call those
ZSK1(old) and ZSK2(new).
2) migration script was executed. ZSK2 was wrongfully marked as entirely
propagated. (but in fact only some of the signatures where generated
with this key)
3) enforcer ran, concluded ZSK1 could be removed, instructed the signer
to stop publishing the DNSKEY of ZSK1. But the signer kept reusing
signatures of this key.
4) Now the user issued a rollover to ZSK3 to fix the situation. But now
we are in a situation where we still have signatures from ZSK1 and ZSK2.
Both will be replaced by signatures of ZSK3 over the course of 14 days.
(signature validity in KASP).
To come out of this situation you could issue a
ods-signer clear kvi.nl
All signatures will then be regenerated at the next sign run. All of
them with ZSK3
For us to do:
1) Fix migration script to better recognise current rollover.
2) Make sure the signer doesn't keep signatures of a key that is no
longer active or publish.
Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org
More information about the Opendnssec-user