[Opendnssec-user] Zone signed by key in retire state

Marc Groeneweg Marc.Groeneweg at sidn.nl
Wed Sep 28 08:34:46 UTC 2016


It’s not only the signing time that is of consequence. After full resign of your zone, you also enforce a full AXFR of your zone to your nameservers. We fully trust on the operation of OpenDNSSEC btw. After a few checks and such, before publishing the zone… ;-)


From: Opendnssec-user <opendnssec-user-bounces at lists.opendnssec.org> on behalf of Jake Zack <jake.zack at cira.ca>
Date: Tuesday, 27 September 2016 at 17:37
To: "Opendnssec-user at lists.opendnssec.org List" <opendnssec-user at lists.opendnssec.org>
Subject: Re: [Opendnssec-user] Zone signed by key in retire state

Confirmed it does work (nuking signature cache and restarting Ods)…

CIRA’s signing system signs separately with both BIND and ODS, then compares at the end, and only after validity checks and comparison is it published to the world…so we’ve occasionally seen ODS have signatures that haven’t expired yet for outgoing keys cause issues where BIND doesn’t have the same signatures on-hand.

It’s not ideal, as stated below…because it causes a full re-sign of the zone…versus using the perfectly valid signatures under the old key.  If you have a small zone, though, I guess the extra few seconds of signing time probably isn’t a major concern.

We tend to do:

/sbin/service ods-signerd stop
rm –rf /var/opendnssec/tmp/* /var/opendnssec/signed/*
/sbin/service ods-signerd start

We stop and restart ods-signerd because we’re set to “keep” serial rather than increment…and ods-signerd doesn’t like signing the same serial twice.

We’re moving away from the dual-signer setup, now, however, as we believe both software’s have matured in their DNSSEC handling, and after years of comparing zone output, the value in combing over minute differences in outputs is no longer as substantial as it once was.


From: Opendnssec-user [mailto:opendnssec-user-bounces at lists.opendnssec.org] On Behalf Of Arun Natarajan
Sent: Tuesday, September 27, 2016 11:14 AM
To: Yuri Schaeffer
Cc: Opendnssec-user at lists.opendnssec.org List
Subject: Re: [Opendnssec-user] Zone signed by key in retire state

Thanks Yuri,

OpenDNSSEC tries to keep signatures in the zone as long as they are
valid. Only when a signature expires and thus needs a resign, the
signature is generated with the new ZSK.

You'll notice that some signatures are generated with the new ZSK and
some with the old ZSK. The signature validity is configurable in the
KASP. During that time both ZSKs have their DNSKEY record published in
the zone.

My understanding was, it create new signatures with the new key once the keys is rolled.

> I guess if we clear the ods and run signer again it will work, but
> wondering why it does not happen automatically?

It would work, but it is probably not what you want.

Yeah, probably not a good idea. Might be useful in emergency roll over though.



Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org<mailto:Opendnssec-user at lists.opendnssec.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160928/82b9b682/attachment.htm>

More information about the Opendnssec-user mailing list