[Opendnssec-user] ds-seen not working

Berry A.W. van Halderen berry at nlnetlabs.nl
Tue Nov 12 16:12:12 UTC 2019


On 11/10/19 7:01 PM, František Dvořák wrote:
> Hi,
> 
> the key 43156 is already active and in ds-seen state, so there were
> zero keys to change and it's OK.
> 
> The "waiting" key would look like this (output from version 2.1.4):
> 
> example.com	KSK      ready     waiting for ds-seen	...
> 
> (Disclaimer: I'm mere user, so I hope I didn't overlook something here.
> :-))

Quite correct, it is already active.  Perhaps the output is confusing
as it states it is in state "ds-seen"  but the next column is "date of
next transaction".

Hre the implementation is deliberate not to work on keys that have
already been ds-seen.  This makes it a bit more clear to invoke a
DS seen on all keys waiting for it.  Otherwise it would seem as if
it didn't do anything.  Now the next time you will run you will get
a better indication the previous run was fine.

\Berry

>   František
> 
> Bas van den Dikkenberg píše v Ne 10. 11. 2019 v 18:18 +0100:
>> Hi,
>>  
>> I am running opendnssec 2.1.5,
>>  
>> But key-ds-seen is not working any more?
>>  
>> From the command line i did this:
>>  
>> cmd> verbosity 10
>> Verbosity level set to 10.
>> Command exit code: 0
>> cmd> key ds-seen --zone energiekeburger.nl --keytag 43156
>> 0 KSK matches found.
>> 0 KSKs changed.
>> Command exit code: 11
>> cmd>
>> root at domein:/usr/src/opendnssec-2.1.5# tail -f /var/log/syslog
>> Nov 10 18:15:11 domein ods-enforcerd: received command verbosity 10
>> Nov 10 18:15:11 domein ods-enforcerd: [cmdhandler] verbosity command
>> Nov 10 18:15:11 domein ods-enforcerd: [verbosity_cmd] verbosity
>> command
>> Nov 10 18:15:11 domein ods-enforcerd: [cmdhandler] done handling
>> command verbosity 10
>> Nov 10 18:15:26 domein ods-enforcerd: received command key ds-seen --
>> zone energiekeburger.nl --keytag 43156
>> Nov 10 18:15:26 domein ods-enforcerd: [cmdhandler] key ds-seen
>> command
>> Nov 10 18:15:26 domein ods-enforcerd: SELECT zone.id, zone.rev,
>> zone.policyId, zone.name, zone.signconfNeedsWriting,
>> zone.signconfPath, zone.nextChange, zone.ttlEndDs, zone.ttlEndDk,
>> zone.ttlEndRs, zone.rollKskNow, zone.rollZskNow, zone.rollCskNow,
>> zone.inputAdapterType, zone.inputAdapterUri, zone.outputAdapterType,
>> zone.outputAdapterUri, zone.nextKskRoll, zone.nextZskRoll,
>> zone.nextCskRoll FROM zone WHERE zone.name = ?
>> Nov 10 18:15:26 domein ods-enforcerd: SELECT zone.id, zone.rev,
>> zone.policyId, zone.name, zone.signconfNeedsWriting,
>> zone.signconfPath, zone.nextChange, zone.ttlEndDs, zone.ttlEndDk,
>> zone.ttlEndRs, zone.rollKskNow, zone.rollZskNow, zone.rollCskNow,
>> zone.inputAdapterType, zone.inputAdapterUri, zone.outputAdapterType,
>> zone.outputAdapterUri, zone.nextKskRoll, zone.nextZskRoll,
>> zone.nextCskRoll FROM zone WHERE zone.name = ?
>> Nov 10 18:15:26 domein ods-enforcerd: SELECT keyData.id, keyData.rev,
>> keyData.zoneId, keyData.hsmKeyId, keyData.algorithm,
>> keyData.inception, keyData.role, keyData.introducing,
>> keyData.shouldRevoke, keyData.standby, keyData.activeZsk,
>> keyData.publish, keyData.activeKsk, keyData.dsAtParent,
>> keyData.keytag, keyData.minimize FROM keyData WHERE keyData.zoneId =
>> ? AND keyData.role != ? AND keyData.dsAtParent = ? AND keyData.keytag
>> = ?
>> Nov 10 18:15:26 domein ods-enforcerd: [cmdhandler] done handling
>> command key ds-seen --zone energiekeburger.nl --keytag 43156
>>  
>> As you kan see the keytag is correct with the zone:
>> root at domein:/usr/src/opendnssec-2.1.5# ods-enforcer
>> cmd> key list -v --zone energiekeburger.nl
>> Keys:
>> Zone:                           Keytype: State:    Date of next
>> transition: Size: Algorithm: CKA_ID:                         
>> Repository: KeyTag:
>> energiekeburger.nl              KSK      active    ds-
>> seen                  4096  8         
>> c702cc27df11f05115473bdfa95e6775 SoftHSM     43156
>> energiekeburger.nl              ZSK      active    ds-
>> unsubmitted           4096  8         
>> befcbf16a7fd63e27c1b986dc3933824 SoftHSM     47748
>> Command exit code: 0
>> cmd>
>>  
>>  
>> what am i missing ?
>>  
>> thanks in advance
>>  
>> Bas
>>  
>> _______________________________________________
>> Opendnssec-user mailing list
>> Opendnssec-user at lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 




More information about the Opendnssec-user mailing list