[Opendnssec-user] KSK stuck in "retire" state
Havard Eidnes
he at uninett.no
Mon May 11 20:05:00 UTC 2020
Hi,
a while earlier I reported:
> we're still running OpenDNSSEC 1.4.14 for our operational signer
> host. This works mostly OK, but recently one of our KSKs appear
> to have become stuck in the "retire" state:
>
> ods @ signer: {1} ods-ksmutil key list | grep KSK | grep -v active
> mail.uninett.no KSK retire 2020-04-22 16:16:49
> ods @ signer: {2}
This persisted, and the KSK was being used to sign the DNSKEY
RRset as well.
I finally found a way to push OpenDNSSEC to move beyond this, and
that was to do
ods-ksmutil key rollover -z mail.uninett.no -t KSK
and OpenDNSSEC then dignified to actually generate a new KSK and
roll out this one which had gotten "stuck".
Quite a bit earlier I reported I had the same issue on my test
installation of OpenDNSSEC 2.x, and the zone there which had
gotten stuck similarly was unwedged with
ods-enforcer key rollover -z eduvpn.no --keytype KSK
So, not a fix for how this got into this state, but at least a
workaround to push OpenDNSSEC to move onwards. Something to take
note of behind the ear; it appears to be a somewhat rare event...
Regards,
- Håvard
More information about the Opendnssec-user
mailing list