[Opendnssec-user] manual key rollover results in "1970-01-01 01:00:00"

Yuri Schaeffer yuri at nlnetlabs.nl
Mon Nov 13 09:04:32 UTC 2017 

Hi Casper,


> I have one zone that has the same problem (1970-01-01 01:00:00) and also
> nextChange = 0. (I guess that's the same value). It does happen to be
> the zone that I use for most of my testing.
> 
> 
> root at metagross:~# ods-enforcer key list --zone scpdata.org
> Keys:
> Zone:                           Keytype: State:    Date of next transition:
> scpdata.org                     KSK      retire    1970-01-01 01:00:00
> scpdata.org                     ZSK      retire    1970-01-01 01:00:00
> scpdata.org                     ZSK      retire    1970-01-01 01:00:00
> scpdata.org                     ZSK      active    1970-01-01 01:00:00
> scpdata.org                     KSK      retire    1970-01-01 01:00:00
> scpdata.org                     KSK      retire    1970-01-01 01:00:00
> scpdata.org                     KSK      retire    1970-01-01 01:00:00
> scpdata.org                     KSK      retire    1970-01-01 01:00:00
> scpdata.org                     KSK      retire    1970-01-01 01:00:00
> scpdata.org                     KSK      retire    1970-01-01 01:00:00
> scpdata.org                     KSK      retire    1970-01-01 01:00:00
> scpdata.org                     KSK      retire    1970-01-01 01:00:00
> scpdata.org                     KSK      retire    1970-01-01 01:00:00
> scpdata.org                     KSK      ready     waiting for ds-seen
> key list completed in 1 seconds.
> 
> 
> The large number of KSKs is due to testing. This zone uses fairly
> aggressive KASP timings to speed up testing.
> 
> Anything I can do to help?

Is this a KASP with automatic or manual rolling KSK's? If it is manual
there is nothing to do ever (nothing needs to be scheduled) since it is
waiting for user input.

Therefore These values are never updated (due to the aforementioned
bug). But if we really want to know if opendnssec is working correctly
it is necessary to look at its output. These timestamps are display only.

Please take a look at the signconf file it produces for this zone and
the signed zonefile the signer produces and make sure the correct keys
are being used.

//Yuri

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20171113/4891c234/attachment.bin>

More information about the Opendnssec-user mailing list