From he at uninett.no  Mon May 11 20:05:00 2020
From: he at uninett.no (Havard Eidnes)
Date: Mon, 11 May 2020 22:05:00 +0200 (CEST)
Subject: [Opendnssec-user] KSK stuck in "retire" state
In-Reply-To: <20200427.101942.2176256205160348720.he@uninett.no>
References: <20200427.101942.2176256205160348720.he@uninett.no>
Message-ID: <20200511.220500.2273859296249209479.he@uninett.no>

Hi,

a while earlier I reported:

> we're still running OpenDNSSEC 1.4.14 for our operational signer
> host.  This works mostly OK, but recently one of our KSKs appear
> to have become stuck in the "retire" state:
>
> ods @ signer: {1} ods-ksmutil key list | grep KSK | grep -v active
> mail.uninett.no                 KSK           retire    2020-04-22 16:16:49 
> ods @ signer: {2}

This persisted, and the KSK was being used to sign the DNSKEY
RRset as well.

I finally found a way to push OpenDNSSEC to move beyond this, and
that was to do

  ods-ksmutil key rollover -z mail.uninett.no -t KSK

and OpenDNSSEC then dignified to actually generate a new KSK and
roll out this one which had gotten "stuck".

Quite a bit earlier I reported I had the same issue on my test
installation of OpenDNSSEC 2.x, and the zone there which had
gotten stuck similarly was unwedged with

  ods-enforcer key rollover -z eduvpn.no --keytype KSK

So, not a fix for how this got into this state, but at least a
workaround to push OpenDNSSEC to move onwards.  Something to take
note of behind the ear; it appears to be a somewhat rare event...

Regards,

- H?vard