[Opendnssec-user] Zone signed by key in retire state
jake.zack at cira.ca
Tue Sep 27 15:37:10 UTC 2016
Confirmed it does work (nuking signature cache and restarting Ods)…
CIRA’s signing system signs separately with both BIND and ODS, then compares at the end, and only after validity checks and comparison is it published to the world…so we’ve occasionally seen ODS have signatures that haven’t expired yet for outgoing keys cause issues where BIND doesn’t have the same signatures on-hand.
It’s not ideal, as stated below…because it causes a full re-sign of the zone…versus using the perfectly valid signatures under the old key. If you have a small zone, though, I guess the extra few seconds of signing time probably isn’t a major concern.
We tend to do:
/sbin/service ods-signerd stop
rm –rf /var/opendnssec/tmp/* /var/opendnssec/signed/*
/sbin/service ods-signerd start
We stop and restart ods-signerd because we’re set to “keep” serial rather than increment…and ods-signerd doesn’t like signing the same serial twice.
We’re moving away from the dual-signer setup, now, however, as we believe both software’s have matured in their DNSSEC handling, and after years of comparing zone output, the value in combing over minute differences in outputs is no longer as substantial as it once was.
From: Opendnssec-user [mailto:opendnssec-user-bounces at lists.opendnssec.org] On Behalf Of Arun Natarajan
Sent: Tuesday, September 27, 2016 11:14 AM
To: Yuri Schaeffer
Cc: Opendnssec-user at lists.opendnssec.org List
Subject: Re: [Opendnssec-user] Zone signed by key in retire state
OpenDNSSEC tries to keep signatures in the zone as long as they are
valid. Only when a signature expires and thus needs a resign, the
signature is generated with the new ZSK.
You'll notice that some signatures are generated with the new ZSK and
some with the old ZSK. The signature validity is configurable in the
KASP. During that time both ZSKs have their DNSKEY record published in
My understanding was, it create new signatures with the new key once the keys is rolled.
> I guess if we clear the ods and run signer again it will work, but
> wondering why it does not happen automatically?
It would work, but it is probably not what you want.
Yeah, probably not a good idea. Might be useful in emergency roll over though.
Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org<mailto:Opendnssec-user at lists.opendnssec.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Opendnssec-user