[Opendnssec-user] ODS 2.14, double signatures during ZSK rollover

Berry A.W. van Halderen via Opendnssec-user opendnssec-user at lists.opendnssec.org
Tue Jan 14 09:00:45 UTC 2020

On 1/13/20 2:54 PM, Erik P. Ostlyngen via Opendnssec-user wrote:
> I'm doing some testing with OpenDNSSec version 2.1.4, and I'm seeing
> what to me looks like some unexpected behaviour during ZSK rollover.
> During the period of replacing the signatures from old to new keys,
> the old signatures are replaced with a set of two signature from both
> the old and the new keys.
> After starting a rollover, the new ZSK is generated and added to the
> zone. After a short publishing period, the key changes state to active
> and the system starts to generate signatures with the new key. I would
> then expect the old signatures to be gradually replaced with
> signatures with the new key, as each of the old keys reaches its end
> of life time. Instead the old signature is replaced with a new pair of
> signatures, one sig made with the old key and one made with the new
> one. So, during the period of signature replacement, the size of the
> zonefile grows gradually until all the records have a set of two
> signatures. When the replacement period is over, the old key is
> removed from the zone, and all the old signatures are removed at the
> same time, leaving the zonefile in the 'normal' state with a single
> signature for each signed record.

Dear Erik,

It will also depend on the TTL of your keyset.  The old signatures
need to be around for at least that time period plus some more.  The
ods-enforcer key list command by default only gives out information
whether a key is active or not, not the real underlying status of
the key presence as seen on the internet.  If you add the flag -d
to the command it will output a more extended interpretation with
amoungst others whether a key is rumoured (active but not seen
by everyone yet) or omnipresent (everyone should know about it).
Only in that latter state a old signature will be dropped when a
new signature is generated.

Note also that it depends on how to perform a roll.  The default
is to move as swiftly as possible, not generating duplicate
signatures or full resigns.  O, and during a key roll with
a algorithm roll over all signatures need to be kept present
for some rolls.

So without more information regarding KASP configuration and key
state this doesn't yet look surprising to me yet.  And certainly
not wrong.  There were some corrections in the past but you are
on 2.1.4 already.

Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org

More information about the Opendnssec-user mailing list