[Opendnssec-user] Release candidate for OpenDNSSEC 2.1.8

Stefan Ubbink Stefan.Ubbink at sidn.nl
Wed Nov 25 09:37:19 UTC 2020 

On Tue, 24 Nov 2020 12:57:00 +0100
Anders Löwinger <anders at abundo.se> wrote:

> On 2020-11-24 06:06, Stefan Ubbink wrote:
> I tried to compile softhsm2 and opendnssec. I have no keys to purge,
> but it accepts the command.
> 
> $ sbin/ods-enforcer --version
> opendnssec version 2.1.8rc1
> 
> $ sbin/ods-enforcer key list
> Keys:
> Zone:                           Keytype: State:    Date of next
> transition: example.com                     KSK      publish
> 2020-11-24 12:46:12 example.com                     ZSK      ready
>  2020-11-24 12:46:12 example                         KSK      publish
>   2020-11-24 12:48:55 example                         ZSK      ready
>    2020-11-24 12:48:55
> 
> $ sbin/ods-enforcer key purge --zone example --delete
> No keys to purge for example
> Found no keys to delete from HSM
> 
> Your error message Is from the validation logic in
> enforcer/src/keystate/key_purge.c
> 
> Are you sure you are running the correct version?

Because of this, I was not sure anymore, so I tried it again yesterday
and now it did delete some keys :-))
I am very sorry to report something that I could not reproduce :-(

root at signt1:~# ods-enforcer key purge --zone politie --delete
deleting key: 2658828cd997e709ba416d178740587f
Number of keys deleted from HSM is 1
root at signt1:~#

To be able to test the ZSK rollover, I want to change the policy to the
lab policy, but that fails. I have already mentioned this to Berry
offlist.

root at signt1:~# ods-enforcer policy list
Policy:                         Description: default
     SIDN default: elk uur signeren TTL30M
SIDN GTLD zones: elk half uur signeren lab
Quick turnaround policy for lab work root at signt1:~# ods-enforcer zone
set-policy --zone politie --policy lab [Remote closed connection]
root at signt1:~#

The log shows the following when changing the policy:
....
Nov 25 07:35:44 signt1 ods-enforcerd: received command policy list
Nov 25 07:35:58 signt1 ods-enforcerd: received command zone set-policy
--zone politie --policy lab Nov 25 07:35:58 signt1 ods-enforcerd:
Aborted Nov 25 07:35:58 signt1 ods-enforcerd: :
....
And then I have to restart the enforcer again.

I'm still investigating the ZSK rollover, but because of the issues
with changing the policy, this is a bit more difficult.

-- 
Stefan Ubbink
DNS & Systems Engineer
Present: Mon, Tue, Wed, Fri
SIDN | Meander 501 | 6825 MD | ARNHEM | The Netherlands
T +31 (0)26 352 55 00
https://www.sidn.nl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20201125/d30967a1/attachment.bin>

More information about the Opendnssec-user mailing list