[Opendnssec-user] RetireSafety and PublishSafety not honored in testing

Einar Bjarni Halldórsson einar at isnic.is
Thu Nov 26 13:20:42 UTC 2020 

Hi,


We have two staging signers running, in preperation of a migration of 
our zones to new signers. In our staging environment we have one signer 
designated as active (ns-signer01) and one designated as backup 
(ns-signer02). The backup signer has a different policy than the active, 
it has both KSK and ZSK keys set to ManualRollover. The plan is that the 
active signer performs key rollovers and syncs it's keys and state to 
the backup signer every hour. We're using SoftHSM and we're syncing 
/var/lib/softhsm and /usr/local/var/opendnssec over. Since the backup 
signer has a different policy than the master, the backup runs 
`ods-enforcer policy import` after every sync to update the kasp.db 
received from the master with the settings from kasp.xml. Both the 
ISNIC-KSK and the ISNIC-ZSK repositories have RequireBackup set.

During testing we've configured an aggressive KASP for frequest 
rollovers and signings, to spot problems. Our settings from kasp.xml are:

<Keys>
             <TTL>PT300S</TTL>
             <RetireSafety>PT360S</RetireSafety>
             <PublishSafety>PT360S</PublishSafety>
             <Purge>P14D</Purge>

             <KSK>
                 <Algorithm length="4096">8</Algorithm>
                 <Lifetime>P10Y</Lifetime>
                 <Repository>ISNIC-KSK</Repository>
                 <ManualRollover/>
             </KSK>

             <ZSK>
                 <Algorithm length="1024">8</Algorithm>
                 <Lifetime>PT2H</Lifetime>
                 <Repository>ISNIC-ZSK</Repository>
             </ZSK>
</Keys>

We're monitoring the DNSKEY records on both the active and the backup 
signers every 1 minute. We see that the active signer is rotating the 
ZSK every 2 hours as per the KASP, but what's troubling us is that it we 
never see more than one ZSK in the DNSKEY set. It just goes from one ZSK 
to another between checks. Our understanding of the RetireSafety and 
PublishSafety options was that we would see two ZSK records for 12 
minutes (6 minutes before rollover and 6 minutes after rollover).


Can anyone see why we're not seeing what we're expecting, and if our 
expections or our configuration is wrong?


.einar

ISNIC

More information about the Opendnssec-user mailing list