[Opendnssec-user] odd-enforce zapping domains

David Peall david at dnservices.co.za
Mon Sep 26 16:43:51 UTC 2016


Ok so I came right I added the zone entries in the zone table.

Then I added the keyData for the KSK’s and linked them to the correct zone and the correct key in the hsmKey table.

I started and then stopped the OpenDNSSEC system.

It created the default keyState entries I used that and the following commands to get the keys back to ACTIVE.
ods-enforcer key list -d
ods-enforcer key list -v

 - Side note it would be super useful to know what the database states = key states.

The DNSKEY entries and the DNSKEY RRSIG still didn’t appear in the zone the sea is signed correctly.

I then set nextChange in the zone table back, this started a ZSK rollover, I did that a few times and it got stuck on PUBLISH.

I rolled the machine clock forward a day and the new ZSK changed to READY and the old one to RETIRE and the zone re-signed and contained all the DNSKEY entries and the DNSKEY RRSIG.

I then rolled the machine clock back and resigned, the zone file looks fine all the RRSIG’s are valid and signed with the new ZSK.

OpenDNSSEC shooting its own DB seems to be a rather drastic bug, what is the timeline on a fix for this?

David Peall

> On 26 Sep 2016, at 1:05 PM, David Peall <david at dnservices.co.za> wrote:
> Hi 
> I’ve been looking around I’m using the following to extract the DNSKEY values out of the HSM and match them to the zone files so I can re link them in the database.
> KSK - ods-hsmutil dnskey <id> test 257 8
> ZSK - ods-hsmutil dnskey <id> test 257 8


ZSK - ods-hsmutil dnskey <id> test 256 8

> The rest of the database looks fairly straight forward if there is any heads up I’d appreciate it.
> Regards
>> David Peall
>> On 26 Sep 2016, at 12:30 PM, David Peall <david at dnservices.co.za <mailto:david at dnservices.co.za>> wrote:
>> Hi
>> Is it possible to rebuild the database for 3 zones that were delete from the database.  ods-signer is still signing the 3 domains:
>> ods-signer zones
>> There are 3 zones configured
>> - 1
>> - 2
>> - 3
>> ods-enforcer zone list
>> Database set to: opendnssec
>> No zones in database.
>> zone list completed in 0 seconds. 
>> Keys are still in the HSM.
>> I need to keep the KSK at minimum the ZSK and RRSIG records can be re-generated.
>> Regards
>>>> David Peall
>> _______________________________________________
>> Opendnssec-user mailing list
>> Opendnssec-user at lists.opendnssec.org <mailto:Opendnssec-user at lists.opendnssec.org>
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160926/c3405310/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4354 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160926/c3405310/attachment.bin>

More information about the Opendnssec-user mailing list