[Opendnssec-user] Rollover: DNSKEY for old KSK gone from signed zone before issuing ds-seen/ds-gone commands

Julian Brost julian at 0x4a42.net
Mon Jan 8 11:11:34 UTC 2018 

On 08.01.2018 11:51, Yuri Schaeffer wrote:
> Hi Julian,
> 
> On 07-01-18 21:07, Julian Brost wrote:
>> See the attached file `log.txt` for the syslog snippets showing the
>> involved keys and the output of `ods-enforcer key list` as of now.
>> OpenDNSSEC version is 2.1.3, running on Debian sid. Let me know if you
>> need any additional information.
> 
> Can I see you kasp.xml? I suspect that the DS TTL + delays is larger
> than your KSK rollover time. This should not be a problem but might be
> the cause of the issue.
> 
> //Yuri
> 
> 
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 

Hi,

see the attachment for the policy used for this zone.

Time between rollovers was 88243 seconds, which is indeed smaller than
DS TTL + PropagationDelay (86400s + 14400s = 100800s) defined in the policy.

Regards,
Julian
-------------- next part --------------
<Policy name="ecdsa256-de">
  <Description>ECDSA P-256 with 90D/365D rollover, 12D min validity, timings for .de</Description>
  <Signatures>
    <Resign>PT2H</Resign>
    <Refresh>P12D</Refresh>
    <Validity>
      <Default>P14D</Default>
      <Denial>P14D</Denial>
    </Validity>
    <Jitter>PT12H</Jitter>
    <InceptionOffset>PT3600S</InceptionOffset>
    <MaxZoneTTL>P1D</MaxZoneTTL>
  </Signatures>
  <Denial>
    <NSEC3>
      <Resalt>P100D</Resalt>
      <Hash>
        <Algorithm>1</Algorithm>
        <Iterations>5</Iterations>
        <Salt length="8"/>
      </Hash>
    </NSEC3>
  </Denial>
  <Keys>
    <TTL>PT3600S</TTL>
    <RetireSafety>PT3600S</RetireSafety>
    <PublishSafety>PT3600S</PublishSafety>
    <Purge>P14D</Purge>
    <KSK>
      <Algorithm length="256">13</Algorithm>
      <Lifetime>P365D</Lifetime>
      <Repository>SoftHSMv2</Repository>
    </KSK>
    <ZSK>
      <Algorithm length="256">13</Algorithm>
      <Lifetime>P90D</Lifetime>
      <Repository>SoftHSMv2</Repository>
    </ZSK>
  </Keys>
  <Zone>
    <PropagationDelay>PT7200S</PropagationDelay>
    <SOA>
      <TTL>PT3600S</TTL>
      <Minimum>PT3600S</Minimum>
      <Serial>unixtime</Serial>
    </SOA>
  </Zone>
  <Parent>
    <PropagationDelay>PT14400S</PropagationDelay>
    <DS>
      <TTL>PT86400S</TTL>
    </DS>
    <SOA>
      <TTL>PT86400S</TTL>
      <Minimum>PT7200S</Minimum>
    </SOA>
  </Parent>
</Policy>

More information about the Opendnssec-user mailing list