[Opendnssec-user] ODS 2.14, double signatures during ZSK rollover

Erik P. Ostlyngen via Opendnssec-user opendnssec-user at lists.opendnssec.org
Wed Jan 15 07:49:33 UTC 2020

On 14/01/2020 10.00, Berry A.W. van Halderen via Opendnssec-user wrote:
> Dear Erik,
> It will also depend on the TTL of your keyset.  The old signatures 
> need to be around for at least that time period plus some more.
> The ods-enforcer key list command by default only gives out
> information whether a key is active or not, not the real underlying
> status of the key presence as seen on the internet.  If you add the
> flag -d to the command it will output a more extended
> interpretation with amoungst others whether a key is rumoured
> (active but not seen by everyone yet) or omnipresent (everyone
> should know about it). Only in that latter state a old signature
> will be dropped when a new signature is generated.
> Note also that it depends on how to perform a roll.  The default is
> to move as swiftly as possible, not generating duplicate signatures
> or full resigns.  O, and during a key roll with a algorithm roll
> over all signatures need to be kept present for some rolls.
> So without more information regarding KASP configuration and key 
> state this doesn't yet look surprising to me yet.  And certainly 
> not wrong.  There were some corrections in the past but you are on
> 2.1.4 already.

Dear Berry,

Thank you for your detailed and informative answer. I've tried to use
the -d option to observe how the key states change during the
rollover. It looks like the new zsk goes to state 'omnipresent' after
a short period of inactive/publishing:

cmd> key list -d --zone bergen.no
Zone:                           Key role:     DS:          DNSKEY:
  RRSIGDNSKEY: RRSIG:       Pub: Act: Id:
bergen.no                       KSK           omnipresent  omnipresent
 omnipresent  NA           1    1    c475614c9cbf33a1a1ae55836695590c
bergen.no                       ZSK           NA           omnipresent
 NA           unretentive  1    0    7199b64ff27f109f4f86bb8ccc6fb166
bergen.no                       ZSK           NA           omnipresent
 NA           rumoured     1    1    7a0c39ac376af233453002d70ced7926

It is in this state, where both the old and the new zsk is
omnipresent, that the double signatures are inserted. I'm not able to
see if my TTL values or other timing parameters are causing it. The
zsk roll type is 'ZskPrePublication'. There are no algorithm changes
involved. I'm attaching the kasp policy configuration if you would
like to have a look.

Kind regards,
Erik Østlyngen
Norid AS
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: policy.txt
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20200115/57a52f9c/attachment.txt>
-------------- next part --------------
Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org

More information about the Opendnssec-user mailing list