[Opendnssec-user] KSK stuck in "retire" state

Havard Eidnes he at uninett.no
Mon Apr 27 08:19:42 UTC 2020 

Hi,

we're still running OpenDNSSEC 1.4.14 for our operational signer
host.  This works mostly OK, but recently one of our KSKs appear
to have become stuck in the "retire" state:

ods @ signer: {1} ods-ksmutil key list | grep KSK | grep -v active
mail.uninett.no                 KSK           retire    2020-04-22 16:16:49 
ods @ signer: {2}

This time is now long past, and OpenDNSSEC hasn't progressed the
state machine for this KSK further since then.

Trying to manually retire the KSK, however, produces a nasty
warning that the KSK is "currently active":

ods @ signer: {5} ods-ksmutil key list -v -z mail.uninett.no
SQLite database set to: /var/db/opendnssec/kasp.db
Keys:
Zone:                           Keytype:      State:    Date of next transition (to):  Size:   Algorithm:  CKA_ID:                           Repository:                       Keytag:
mail.uninett.no                 KSK           retire    2020-04-22 16:16:49 (dead)     2048    8           4ca2db09e990dc261e69a184994c9120  SoftHSM                           221
mail.uninett.no                 ZSK           retire    2020-05-02 14:20:26 (dead)     1280    8           5e2b9cf676f778b7f981b133f8bfd677  SoftHSM                           54795
mail.uninett.no                 ZSK           active    2020-05-11 09:05:26 (retire)   1280    8           baed7d905aa52e2ce3dad8658bdb0489  SoftHSM                           45706
mail.uninett.no                 KSK           active    2021-04-22 07:30:10 (retire)   2048    8           1b9843d9ef29e15a625362128aa88d51  SoftHSM                           49985

ods @ signer: {6} ods-ksmutil key ksk-retire -k 4ca2db09e990dc261e69a184994c9120
*WARNING* This will retire the currently active KSK; are you sure? [y/N] n
Okay, quitting...
ods @ signer: {7}

Looking at the downstream name server reveals that the DNSKEY
RRset for this zone is still being signed by two KSKs, one of
them the KSK in "retire" state (keytag 221):

:~> ods-dig axfr mail.uninett.no. | egrep 'RRSIG.DNSKEY'
mail.uninett.no.        3600    IN      RRSIG   DNSKEY 8 3 3600 20200515204245 20200424191333 34291 mail.uninett.no. H+TuzEu02X7ErQn1nPl2cjEKipdk14NsnnuS3WlrOpHtffG5cf5VFh+0 BmmX5fZhKtTxLfZKC21jwX+60CZAYNKWEWRnAl88Lq59ayJ7sSK9dx/D ZQOzkolHPe4P3+fmBxwmgpiwR56vWC0/BLxszfjW4x5FT9GnwiWLI8Vw pv+fNU3Vt8ByBsKE8xUNMTxltdVsT1kdG+nxrWahGTsvwMTOXiZoI1m8 1hdraJ2dCfYwvVrcUpe5kubeTK/fSx4IIm5fgDQdZ9Vn+kVFU7MHWgCR BKSljAKDnJLyiBqyt2GHioz1GLa9utMOMlkvAN5He5s5wgVYH/7L7IIa 44Uqog==
mail.uninett.no.        3600    IN      RRSIG   DNSKEY 8 3 3600 20200515204245 20200424191333 221 mail.uninett.no. U0bb2EdSu44XwDh1a6bfvAS/n17ucEfyqrABpX/YMlgTdD35Gl1h1s3E fqMN8Vbto5TkYrN4EBEnVpYN6ZgAjRB04ElxfUgsf6HnIvCEsreaLzbr eC4FYYRbdJ2dyP8uGhZhEtDC0dzxlCHjy1K93EIN6XVaG+zdUnytKMMz EaXD4BUUpXIO6v1aaS4bQuLpMkp4ctk5Oy8ni0vglWf5U7ZJ6SelOVVy Fvt6XJhD5K/KOJ4Gu/i2J0sWT3rxwv3BqNEWVUP0hyXX0DwzRDQ8b3Vl r+ls7T9Lb/8qwBPtsda6fydezvpBikWQ25qL+s6Mv9qJLZrpyv2uJq3k lgDVMA==
:~>

Any idea what I can do to change this?

(This seems similar to an issue I've seen and written about
earlier with OpenDNSSEC 2.1.6 as well, where a KSK is stuck in
the "retire" state, but is still being used to sign the DNSKEY
RRset.)

Regards,

- Håvard

More information about the Opendnssec-user mailing list