From berry at nlnetlabs.nl  Mon Mar  9 09:33:14 2020
From: berry at nlnetlabs.nl (Berry A.W. van Halderen)
Date: Mon, 9 Mar 2020 10:33:14 +0100
Subject: [Opendnssec-user] [centr-tech] Question about OpenDNSSEC and
 migration to version 2
In-Reply-To: <20200306092452.GA1121@stardust.tech.prive.nic.fr>
References: <60dcf53a-1ad2-eb9d-b046-f8f374cb8f44@norid.no>
 <20200306092452.GA1121@stardust.tech.prive.nic.fr>
Message-ID: <2d981c03-a479-ed55-9156-a2754e94233e@nlnetlabs.nl>

>> I have a question to those of you who are using OpenDNSSEC for signing
>> your registry zones. At Norid, we are currently in the process of
>> testing OpenDNSSEC version 2 with a plan to migrate when we feel
>> comfortable with that. However, we are now struggling with a problem
>> related to ZSK rollover. I would therefore like to know if any of you
>> have migrated to version 2, or have started on this process. If so, do
>> you have any expericences to share with problems related to the
>> migration or running version 2? In particular, I would like to know if
>> you have experienced the the problem described below, and if so, how
>> did you deal with it?

Dear Erik et all,

I don't think I'm able to post to the centr-tech mailing list and my
accounts seems to have problems, so I'm cross-posting this to the
opendnssec-user mailing list.

In summary it has been observed that there are double signatures during
a ZSK roll with pre-publication, in a manner which is unexpected as
this wouldn't be necessary with this type of roll and is also not seen
with OpenDNSSEC 1.4

I've looked into this and I'm able to reproduce it.  I think this
behavior is indeed not on purpose and something that have creaped into
the behaviour of OpenDNSSEC in the past few patches.

I've localized the behaviour in the code and can fix this in a near
future patch release.  The problem is that signatures of the ZSK that
is going out, are kept for a bit longer time that is really necessary.

The drawback is that the size of signed RRSET will be longer than
necessary.  Which isn't good, but also doesn't break anything.

So thanks for the report, and next 2.1.7 will contain the fix.

With kind regards,
Berry van Halderen.

From erik at norid.no  Mon Mar  9 10:17:49 2020
From: erik at norid.no (Erik P. Ostlyngen)
Date: Mon, 9 Mar 2020 11:17:49 +0100
Subject: [Opendnssec-user] [centr-tech] Question about OpenDNSSEC and
 migration to version 2
In-Reply-To: <2d981c03-a479-ed55-9156-a2754e94233e@nlnetlabs.nl>
References: <60dcf53a-1ad2-eb9d-b046-f8f374cb8f44@norid.no>
 <20200306092452.GA1121@stardust.tech.prive.nic.fr>
 <2d981c03-a479-ed55-9156-a2754e94233e@nlnetlabs.nl>
Message-ID: <dbffa21d-76d3-0f69-d59e-75de43407d0c@norid.no>

Dear Berry,

Thank you for your update. It is good to have this issue resolved.
Looking forward to checking out your version 2.1.7.

Regards,
Erik ?stlyngen


On 09/03/2020 10.33, Berry A.W. van Halderen wrote:
> Dear Erik et all,
> 
> I don't think I'm able to post to the centr-tech mailing list and
> my accounts seems to have problems, so I'm cross-posting this to
> the opendnssec-user mailing list.
> 
> In summary it has been observed that there are double signatures
> during a ZSK roll with pre-publication, in a manner which is
> unexpected as this wouldn't be necessary with this type of roll and
> is also not seen with OpenDNSSEC 1.4
> 
> I've looked into this and I'm able to reproduce it.  I think this 
> behavior is indeed not on purpose and something that have creaped
> into the behaviour of OpenDNSSEC in the past few patches.
> 
> I've localized the behaviour in the code and can fix this in a
> near future patch release.  The problem is that signatures of the
> ZSK that is going out, are kept for a bit longer time that is
> really necessary.
> 
> The drawback is that the size of signed RRSET will be longer than 
> necessary.  Which isn't good, but also doesn't break anything.
> 
> So thanks for the report, and next 2.1.7 will contain the fix.
> 
> With kind regards, Berry van Halderen.
> 


From paul at nohats.ca  Mon Mar  9 14:56:27 2020
From: paul at nohats.ca (Paul Wouters)
Date: Mon, 9 Mar 2020 10:56:27 -0400 (EDT)
Subject: [Opendnssec-user] [centr-tech] Question about OpenDNSSEC and
 migration to version 2
In-Reply-To: <2d981c03-a479-ed55-9156-a2754e94233e@nlnetlabs.nl>
References: <60dcf53a-1ad2-eb9d-b046-f8f374cb8f44@norid.no>
 <20200306092452.GA1121@stardust.tech.prive.nic.fr>
 <2d981c03-a479-ed55-9156-a2754e94233e@nlnetlabs.nl>
Message-ID: <alpine.LRH.2.21.2003091054180.20866@bofh.nohats.ca>

On Mon, 9 Mar 2020, Berry A.W. van Halderen via Opendnssec-user wrote:

>>> I have a question to those of you who are using OpenDNSSEC for signing
>>> your registry zones. At Norid, we are currently in the process of
>>> testing OpenDNSSEC version 2 with a plan to migrate when we feel
>>> comfortable with that.

The fedora packages of opendnssec-2.x contain hooks to automatically
migrate 1.x to 2.x. This has only been tested to work with freeipa,
which uses relatively small zones and we wouldn't really catch double
signing bugs or anything as long as DNSSEC validation keeps working.

I did have to make small changes to the upstream migration scripts. One
part was storing in the db that migration has already happened. Perhaps
upstream can grab those downstream changes for their next release too :)

Paul