[Opendnssec-user] [centr-tech] Question about OpenDNSSEC and migration to version 2

Berry A.W. van Halderen berry at nlnetlabs.nl
Mon Mar 9 09:33:14 UTC 2020

>> I have a question to those of you who are using OpenDNSSEC for signing
>> your registry zones. At Norid, we are currently in the process of
>> testing OpenDNSSEC version 2 with a plan to migrate when we feel
>> comfortable with that. However, we are now struggling with a problem
>> related to ZSK rollover. I would therefore like to know if any of you
>> have migrated to version 2, or have started on this process. If so, do
>> you have any expericences to share with problems related to the
>> migration or running version 2? In particular, I would like to know if
>> you have experienced the the problem described below, and if so, how
>> did you deal with it?

Dear Erik et all,

I don't think I'm able to post to the centr-tech mailing list and my
accounts seems to have problems, so I'm cross-posting this to the
opendnssec-user mailing list.

In summary it has been observed that there are double signatures during
a ZSK roll with pre-publication, in a manner which is unexpected as
this wouldn't be necessary with this type of roll and is also not seen
with OpenDNSSEC 1.4

I've looked into this and I'm able to reproduce it.  I think this
behavior is indeed not on purpose and something that have creaped into
the behaviour of OpenDNSSEC in the past few patches.

I've localized the behaviour in the code and can fix this in a near
future patch release.  The problem is that signatures of the ZSK that
is going out, are kept for a bit longer time that is really necessary.

The drawback is that the size of signed RRSET will be longer than
necessary.  Which isn't good, but also doesn't break anything.

So thanks for the report, and next 2.1.7 will contain the fix.

With kind regards,
Berry van Halderen.

More information about the Opendnssec-user mailing list