[Opendnssec-user] KSK stuck in "retire" state

Havard Eidnes he at uninett.no
Mon May 11 20:05:00 UTC 2020


a while earlier I reported:

> we're still running OpenDNSSEC 1.4.14 for our operational signer
> host.  This works mostly OK, but recently one of our KSKs appear
> to have become stuck in the "retire" state:
> ods @ signer: {1} ods-ksmutil key list | grep KSK | grep -v active
> mail.uninett.no                 KSK           retire    2020-04-22 16:16:49 
> ods @ signer: {2}

This persisted, and the KSK was being used to sign the DNSKEY
RRset as well.

I finally found a way to push OpenDNSSEC to move beyond this, and
that was to do

  ods-ksmutil key rollover -z mail.uninett.no -t KSK

and OpenDNSSEC then dignified to actually generate a new KSK and
roll out this one which had gotten "stuck".

Quite a bit earlier I reported I had the same issue on my test
installation of OpenDNSSEC 2.x, and the zone there which had
gotten stuck similarly was unwedged with

  ods-enforcer key rollover -z eduvpn.no --keytype KSK

So, not a fix for how this got into this state, but at least a
workaround to push OpenDNSSEC to move onwards.  Something to take
note of behind the ear; it appears to be a somewhat rare event...


- Håvard

More information about the Opendnssec-user mailing list