[Opendnssec-user] Get "all" keys / export by CKA_ID

Casper Gielen C.Gielen at uvt.nl
Tue Aug 14 11:16:38 UTC 2018

Hey guys,
I've been struggling with something that feels like it should be easy. I'm using ODS 
I'd like ODS to give me a list of all keys that should be in the parent zone.

As far as I can tell this is a four step process:

First extract the CKA_ID's of the keys that have Pub == 1 from 'key list -d':
  root at ramachandra:~# ods-enforcer key list --zone example.com --keytype ksk -d
  Zone:                           Key role:     DS:          DNSKEY:      RRSIGDNSKEY: RRSIG:       Pub: Act: Id:
  example.com                      KSK           unretentive  unretentive  unretentive  NA           0    0    149b8a0b2bba19195208231d5bf0d6a5
  example.com                      KSK           omnipresent  omnipresent  omnipresent  NA           1    1    550785d7a016b8814ec44ab61cedca2a
  example.com                      KSK           hidden       rumoured     rumoured     NA           1    1    f9ed71a437624a79821582653086be78
-> 550785d7a016b8814ec44ab61cedca2a, f9ed71a437624a79821582653086be78

Second match the CKA_ID's from 'key list -d' with the output from 'key list -v' to get the KeyTags.
  root at ramachandra:~# ods-enforcer key list --zone example.com -v
  Zone:                           Keytype: State:    Date of next transition: Size: Algorithm: CKA_ID:                          Repository: KeyTag:
  example.com                      KSK      retire    waiting for ds-gone      2048  8          149b8a0b2bba19195208231d5bf0d6a5 LocalHSM    43531
  example.com                      KSK      active    2018-08-14 13:12:55      2048  8          550785d7a016b8814ec44ab61cedca2a LocalHSM    57715
  example.com                      KSK      publish   2018-08-14 13:12:55      2048  8          f9ed71a437624a79821582653086be78 LocalHSM    28411
-> 57715, 28411

Thirdly match the KeyTags with the output from 'ods-enforcer key export' to get tot the actual key.
Finaly, repeat this steps for the various keystates ('publish ready active retire').

 ods-enforcer key export --zone $zone --keytype ksk 
   example.com.     3600    IN      DNSKEY  257 3 8 Aw...5shk= ;{id = 43531 (ksk), size = 2048b}

 ods-enforcer key export --zone mijnuvt.nl --keytype ksk --keystate active
   exmaple.com.     3600    IN      DNSKEY  257 3 8 Aw...axPU= ;{id = 57715 (ksk), size = 2048b}

 ods-enforcer key export --zone mijnuvt.nl --keytype ksk --keystate publish
   example.com.     3600    IN      DNSKEY  257 3 8 Aw...aHLc= ;{id = 10840 (ksk), size = 2048b}

-> Aw...axPU=, Aw...aHLc=

It seems way to complicated for something that. Am I overlooking something?

PS 1.
The way the terms 'active' and 'publish' are used is confusing to me.
The commnand 'ods-enforcer key list -d' has columns named 'Pub' and 'Act' that only
roughly correspond to the keystates named 'publish' and 'active'. I guess this is a
leftover from ODS 1. 

PS 2.
By default 'ods-enforcer key export' shows only keys with keystate==retire.
That seems an odd choice.

PS 3.
I would have filed feature requests if I didn't have the feeling I'm doing something wrong.
Unless someone points out an easy solution I might file the following feature requests:

1. Add '--keytag' and '--cka_id' options to ods-export.
2. Make ods-export by default either export exactly those keys that should be published
   in the parent zone or just every key known. 
    ods-enforcer key export --zone $zone --keytype ksk 
    -> Aw...axPU=, Aw...aHLc=

Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl

More information about the Opendnssec-user mailing list