[Opendnssec-user] Rollover: DNSKEY for old KSK gone from signed zone before issuing ds-seen/ds-gone commands
Julian Brost
julian at 0x4a42.net
Sun Jan 7 20:07:21 UTC 2018
Hi,
I have some troubling understanding what happened regarding two KSK
rollovers I did for testing purposes on one zone.
In these rollovers, the following three KSKs were involved (identified
by their key tag as well as a letter to make reading easier later):
55883 (A) -> 55828 (B) -> 23035 (C).
The first rollover (A -> B) happened without issues, including updating
the DS records in the parent zone, so I issued a ds-seen command for B
and a ds-gone command for A.
Now, next day, next rollover (B -> C), so far I only issued the rollover
command, no ds-seen/ds-gone so far, which can also be seen in the key
list output. OpenDNSSEC now outputs a signed zone file which only
contains DNSKEY records for the keys A and C, but not for B, which is
the only key that is currently referenced via a DS record in the parent
zone. This resulted in the zone becoming unresolvable.
Now I'm wondering why this happens and if this might be a bug in
OpenDNSSEC. At least it isn't consistent with my current understanding
on how key rollovers work with OpenDNSSEC. I always trigger a rollover
(or wait for the automatic rollover), wait until the key becomes ready,
add/remove all DS records in the parent zone according to 'waiting for
ds-seen/ds-gone' output in the key list and issue the ds-seen/ds-gone
commands as soon as the changes appear on the nameservers of the parent
zone. So from my understanding, the zone should be resolvable with both
only the old and only the new DS record present in the parent zone. Is
there any problem with this approach? Unfortunately I didn't find any
documentation that clearly states how to properly do a KSK rollover
(like issue this command, wait for that, etc.).
See the attached file `log.txt` for the syslog snippets showing the
involved keys and the output of `ods-enforcer key list` as of now.
OpenDNSSEC version is 2.1.3, running on Debian sid. Let me know if you
need any additional information.
Regards,
Julian
-------------- next part --------------
# first rollover
Jan 06 15:23:22 ods-enforcerd: [keystate_rollover_cmd] Manual rollover initiated for KSK on Zone: somedomain.de
Jan 06 15:23:23 ods-enforcerd: 1 new KSK(s) (256 bits) need to be created.
Jan 06 19:23:22 ods-enforcerd: [enforce_task] please retract DS with keytag 55883 for zone somedomain.de
Jan 06 19:23:22 ods-enforcerd: [enforce_task] please submit DS with keytag 55828 for zone somedomain.de
# second rollover
Jan 07 15:54:05 ods-enforcerd: [keystate_rollover_cmd] Manual rollover initiated for KSK on Zone: somedomain.de
Jan 07 15:54:06 ods-enforcerd: 1 new KSK(s) (256 bits) need to be created.
Jan 07 19:54:05 ods-enforcerd: [enforce_task] please retract DS with keytag 55828 for zone somedomain.de
Jan 07 19:54:05 ods-enforcerd: [enforce_task] please submit DS with keytag 23035 for zone somedomain.de
# ods-enforcer key list -z somedomain.de -t KSK -v
Keys:
Zone: Keytype: State: Date of next transition: Size: Algorithm: CKA_ID: Repository: KeyTag:
somedomain.de KSK retire 2018-01-07 23:54:05 256 13 58bf379c972e469815cee4b53395b0bc SoftHSMv2 55883
somedomain.de KSK retire waiting for ds-gone 256 13 4d785be21a27eef0e72e383f8817583b SoftHSMv2 55828
somedomain.de KSK ready waiting for ds-seen 256 13 b98298632fdb3f756a28353960b123c7 SoftHSMv2 23035
# ods-enforcer key list -z somedomain.de -t KSK -d
Keys:
Zone: Key role: DS: DNSKEY: RRSIGDNSKEY: RRSIG: Pub: Act: Id:
somedomain.de KSK unretentive omnipresent omnipresent NA 1 1 58bf379c972e469815cee4b53395b0bc
somedomain.de KSK unretentive unretentive unretentive NA 0 0 4d785be21a27eef0e72e383f8817583b
somedomain.de KSK rumoured omnipresent omnipresent NA 1 1 b98298632fdb3f756a28353960b123c7
More information about the Opendnssec-user
mailing list