[Opendnssec-user] ODS 2.14, double signatures during ZSK rollover

Erik P. Ostlyngen via Opendnssec-user opendnssec-user at lists.opendnssec.org
Mon Jan 13 13:54:36 UTC 2020


Hi,

I'm doing some testing with OpenDNSSec version 2.1.4, and I'm seeing
what to me looks like some unexpected behaviour during ZSK rollover.
During the period of replacing the signatures from old to new keys,
the old signatures are replaced with a set of two signature from both
the old and the new keys.

After starting a rollover, the new ZSK is generated and added to the
zone. After a short publishing period, the key changes state to active
and the system starts to generate signatures with the new key. I would
then expect the old signatures to be gradually replaced with
signatures with the new key, as each of the old keys reaches its end
of life time. Instead the old signature is replaced with a new pair of
signatures, one sig made with the old key and one made with the new
one. So, during the period of signature replacement, the size of the
zonefile grows gradually until all the records have a set of two
signatures. When the replacement period is over, the old key is
removed from the zone, and all the old signatures are removed at the
same time, leaving the zonefile in the 'normal' state with a single
signature for each signed record.

Example diff during the signature replacement:

221c226,227
< frisor.bergen.no.     7200    IN      RRSIG   DS 8 3 7200
20200118150151 20200105190134 22581 bergen.no.
aRn9nlLCjXFBLck20gKVn4sVmdINKEV5Irnyx4L86OdYa1nwIGfx8loPDGacirPgRxCK/yjo9efxvKH4Deuhz5uyO2SUMrhJmtc5fkzxG0zZYPSEc6M+FY7Zklvg/y1s4v47agEJoBCiuzvy9eJAcV0XUWUgz//EEv6UIOqJ6RA=
---
> frisor.bergen.no.     7200    IN      RRSIG   DS 8 3 7200
20200121021554 20200108150228 44316 bergen.no.
ocYyHZQoEWDrfUagh7Z24zY3Wz4jz3NVzHpSUbeemtfkf66f5UUl/cpq/Y6us2axHolIMWW+oroPXAtwYAsj9jXJ1tUNlWpCNSuNbX5TX3Cs1btPSh2xqbZojaIX1AtSjIq9iejXI0nDiXjO3uLHNqNNyIgHfM9Mk3KwCVOW7ow=
> frisor.bergen.no.     7200    IN      RRSIG   DS 8 3 7200
20200121021554 20200108150228 22581 bergen.no.
X2Fql3Eaa/rrUimY703cdv1E/DWfR8rD//2d8W8EWMba8bDbKVpR2BVclAgvtNw2JtrPOhYVMt8bF/uKI1+awowTqeRIyPiMAF9cn+O2oWMDK3bAlUuuAKVdYwM2J/OhQp4r3XochHuJ6WnrwJJ+YKBUWk0CAcEFbLAPA785zAg=
443c450,45
< rolex.bergen.no.      7200    IN      RRSIG   DS 8 3 7200
20200118142553 20200105030451 22581 bergen.no.
rGRg3Sr8WwBLOWNasZehV24lStR7x6KGIEtbGetelslPi7kvEOZ1Tt6tiCioZ5ZkoztyTLtlfvKhl5Z3nd90UHPZzd9f5g51erUb+cybw4P+mcEBBzOFeWXrWawM3/keMKKJ9jthvvqWMfFojXLPvIT8aNPyuX16Dj+IM5MNUBY=
---
> rolex.bergen.no.      7200    IN      RRSIG   DS 8 3 7200
20200121003335 20200108150228 44316 bergen.no.
tntEofV494LkvLi2MGUKH8cLJBEWeentEsM1JI5Z4i/j/nDb//uwliBAYPLeRg7DT0Lhs6YmLOUX6k/vwgSrLAo5wc/u0JP83riN/jdPl0rOXEgHBRS9Qkqj2a2VnKOtmAlOn8lOUO9DfWEsl7dnnKbwJmy3E80xYAVzxkeWu1M=
> rolex.bergen.no.      7200    IN      RRSIG   DS 8 3 7200
20200121003335 20200108150228 22581 bergen.no.
bTCicOFKRlmaKcj6Pz/bZDVzGg8hACy4ksuUka8Wah0SM0efvRp23cDU3WE62bopscSLHd1A7w0pMddJGxMLo+ivpbk4xeblnZk4tgWku34mZ9jk43Lu3w1bN87YR54JsXSBWdhF535tac+HcRSmgUUO/Wop0l5OVfcGoTKsQJw=
...

I'm wondering if this is the intended behaviour? If not, what could
the reason be for it to happen? I've built the system from thr 2.1.4
source on an Ubuntu 16.04 distribution. I'm running the system with
SoftHSM v2.5 and SQLite3 enforcer backend.

Kind regards,
Erik Østlyngen
Norid AS
www.norid.no
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user


More information about the Opendnssec-user mailing list