[Opendnssec-user] ODS 2.14, double signatures during ZSK rollover

Erik P. Ostlyngen erik at norid.no
Fri Jan 17 09:55:41 UTC 2020

Hi again,

I've now made a test installation of the Ubuntu Focal version of
opendnssec 2.1.4 and have set up a signer using the standard demo
configuration which comes with the package. Signing from file to file.
With this config I still get double signatures during a ZSK rollover.
After the publication period (new ZSK in state Rumored), the ZSK goes
to state Omnipresent and starts using the new key for signing. At this
point the signer creates double signatures and continues to do so
throughout the re-signing period until the old key is removed from the

Is there a demo configuration somewhere with kasp timing parameters
tuned so that ZSK rollover replaces the signatures without doubling
them (provided that this is possible and configuration is the
problem)? That would be very useful.

Kind regards,
Erik Østlyngen
Norid AS

On 15/01/2020 08.49, Erik P. Ostlyngen via Opendnssec-user wrote:
> On 14/01/2020 10.00, Berry A.W. van Halderen via Opendnssec-user 
> wrote:
>> Dear Erik,
>> It will also depend on the TTL of your keyset.  The old 
>> signatures need to be around for at least that time period plus 
>> some more. The ods-enforcer key list command by default only 
>> gives out information whether a key is active or not, not the 
>> real underlying status of the key presence as seen on the 
>> internet.  If you add the flag -d to the command it will output
>> a more extended interpretation with amoungst others whether a
>> key is rumoured (active but not seen by everyone yet) or
>> omnipresent (everyone should know about it). Only in that latter
>> state a old signature will be dropped when a new signature is
>> generated.
>> Note also that it depends on how to perform a roll.  The default 
>> is to move as swiftly as possible, not generating duplicate 
>> signatures or full resigns.  O, and during a key roll with a 
>> algorithm roll over all signatures need to be kept present for 
>> some rolls.
>> So without more information regarding KASP configuration and key 
>> state this doesn't yet look surprising to me yet.  And certainly 
>> not wrong.  There were some corrections in the past but you are 
>> on 2.1.4 already.
> Dear Berry,
> Thank you for your detailed and informative answer. I've tried to 
> use the -d option to observe how the key states change during the 
> rollover. It looks like the new zsk goes to state 'omnipresent' 
> after a short period of inactive/publishing:
> cmd> key list -d --zone bergen.no Keys: Zone: Key role:     DS:
> DNSKEY: RRSIGDNSKEY: RRSIG:       Pub: Act: Id: bergen.no
> KSK           omnipresent omnipresent omnipresent  NA           1
> 1 c475614c9cbf33a1a1ae55836695590c bergen.no ZSK           NA
> omnipresent NA           unretentive  1 0
> 7199b64ff27f109f4f86bb8ccc6fb166 bergen.no ZSK           NA
> omnipresent NA           rumoured     1 1
> 7a0c39ac376af233453002d70ced7926
> It is in this state, where both the old and the new zsk is 
> omnipresent, that the double signatures are inserted. I'm not able 
> to see if my TTL values or other timing parameters are causing it. 
> The zsk roll type is 'ZskPrePublication'. There are no algorithm 
> changes involved. I'm attaching the kasp policy configuration if 
> you would like to have a look.
> Kind regards, Erik Østlyngen Norid AS www.norid.no
> _______________________________________________ Opendnssec-user 
> mailing list Opendnssec-user at lists.opendnssec.org 
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list