[Opendnssec-user] Changing policy for some domains
Berry van Halderen
berry at nlnetlabs.nl
Fri Apr 30 17:21:42 UTC 2021
On 2021-04-30 18:14, Havard Eidnes wrote:
>>> Relevant commands:
>>> vi kasp.xml
>>> ods-enforcer policy import
>>> ods-enforcer zone set-policy -z example.com -p newpolicy
>>> ods-enforcer enforce -z example.com
>>>
>>> One caveat to think of, I probably wouldn't use this on
>>> combined signing keys (CSKs).
>>>
>>> If possible test this first, we've used set-policy but not for
>>> this specific case AFAIK.
>>
>> Hmm, this probably means that the wiki page at
>>
>> https://wiki.opendnssec.org/display/DOCS/kasp.xml
>>
>> with the notice
>>
>> Once a zone is signed, changes to the algorithm require a
>> rollover which is not currently handled by OpenDNSSEC. Attempts
>> to change the algorithm on a policy will result in a warning
>> message and a request for confirmation.
>>
>> needs an update? In particular it would seem that "is not
>> currently handled by OpenDNSSEC" is no longer true?
Yes, that needs updting, I think elsewhere it is explicitly states
to be supported. I think the entire wiki is to be revamped.
> I realize this is a wiki, and as far as I recall I do have
> editing privileges, so I can do the actual editing, but I'm
> hesitating to do that without getting any feedback first.
>
>> So ... I tried specifying algorithm 14 (ECDSA P-384) for KSK with
>> a 1 year rotation, and algorithm 13 (ECDSA P-256) for ZSK with a
>> 1 month rotation. Isn't that supposed to be supported? Or is
>> there something in the protocol specification which says that you
>> must have the same algorithm for KSK and ZSK? (I didn't think so.)
>
> Also, no comment on this?
Need to test, this situation. I know some people have transfered to
ECDSA, but haven't been in this process. There is no direct relation
between key algorithms here.
> I caved in, and specified algorithm 13 (ECDSA P-256) for both KSK
> and ZSK on my test system, and did as specified above: created an
> "ecdsa" policy specifying algorithm 13 and then:
>
> ods-enforcer zone set-policy -z urc.uninett.no -p ecdsa
> ods-enforcer enforce -z urc.uninett.no
>
> I'm now one week later looking at the state of the keys with
> ods-enforcer, and while the new KSK is generated and sits in the
> zone, it doesn't look like OpenDNSSEC is doing a KSK roll-over to
> complete the algorithm roll-over. Is it waiting for the normal
> roll-over time to come for the zone, and *then* doing the KSK
> roll-over? That seems counter-intuitive; I would have expected
> that when I did "set-policy" and "enforce", it would realize that
> I did indeed ask for a KSK with a new algorithm, and that an
> automatic roll-over should be initiated immediately instead of
> waiting for the normal rotation time previously specified (which
> in my case is 1 year). State of the keys for the zone now look
> like this:
Yes it is still waiting for a normal rollover period. Could be
a number of parameters in the kasp, such as long SOA or DNSKEY
TTL, publish safety. I'm working on a better insight for the
date of next transition to show why and when a transition for
which key is done. But turned out to be more work.
> ods @ test-signer: {16} ods-enforcer key list -z urc.uninett.no -v
> Keys:
> Zone: Keytype: State: Date of next
> transition: Size: Algorithm: CKA_ID:
> Repository: KeyTag:
> urc.uninett.no KSK active 2021-04-30 17:57:54
> 2048 8 60c393e7b35db5a0e9cf4a841693858f SoftHSM
> 46540
> urc.uninett.no ZSK retire 2021-04-30 17:57:54
> 1280 8 1a81c8138fc886c7c84e8ebcd49a386a SoftHSM
> 9730
> urc.uninett.no ZSK ready 2021-04-30 17:57:54
> 1280 8 4bbb93962f7bce0138c890889bff48b9 SoftHSM
> 42331
> urc.uninett.no KSK publish 2021-04-30 17:57:54
> 2048 13 1605e5edf3e2c9b022010386419f624a SoftHSM
> 42582
> urc.uninett.no ZSK ready 2021-04-30 17:57:54
> 1536 13 efd1db8fac425422cc8b5b8ad6837d2b SoftHSM
> 42185
> ods @ test-signer: {17} ods-enforcer key list -z urc.uninett.no -d
> Keys:
> Zone: Key role: DS: DNSKEY:
> RRSIGDNSKEY: RRSIG: Pub: Act: Id:
> urc.uninett.no KSK omnipresent omnipresent
> omnipresent NA 1 1 60c393e7b35db5a0e9cf4a841693858f
> urc.uninett.no ZSK NA omnipresent
> NA unretentive 1 0 1a81c8138fc886c7c84e8ebcd49a386a
> urc.uninett.no ZSK NA omnipresent
> NA rumoured 1 1 4bbb93962f7bce0138c890889bff48b9
> urc.uninett.no KSK hidden rumoured
> rumoured NA 1 1 1605e5edf3e2c9b022010386419f624a
> urc.uninett.no ZSK NA rumoured
> NA rumoured 1 1 efd1db8fac425422cc8b5b8ad6837d2b
> ods @ test-signer: {18} ods-enforcer key list -z urc.uninett.no
> Keys:
> Zone: Keytype: State: Date of next
> transition:
> urc.uninett.no KSK active 2021-04-30 17:58:55
> urc.uninett.no ZSK retire 2021-04-30 17:58:55
> urc.uninett.no ZSK ready 2021-04-30 17:58:55
> urc.uninett.no KSK publish 2021-04-30 17:58:55
> urc.uninett.no ZSK ready 2021-04-30 17:58:55
> ods @ test-signer: {19}
>
> And, as per usual for OpenDNSSEC2 the "Date of next transition"
> no longer means that, apparently.
>
> I'm initially waiting for a "waiting for ds-seen" state here for
> the new KSK, and it's not showing up.
>
> Do I have to manually initiate a KSK roll-over with
>
> ods-enforcer key rollover --zone urc.uninett.no --keytype KSK
>
> to get things moving along?
>
> Best regards,
>
> - Håvard
More information about the Opendnssec-user
mailing list