[Opendnssec-user] Changing policy for some domains
Havard Eidnes
he at uninett.no
Fri Apr 30 20:47:08 UTC 2021
>> I'm now one week later looking at the state of the keys with
>> ods-enforcer, and while the new KSK is generated and sits in the
>> zone, it doesn't look like OpenDNSSEC is doing a KSK roll-over to
>> complete the algorithm roll-over. Is it waiting for the normal
>> roll-over time to come for the zone, and *then* doing the KSK
>> roll-over? That seems counter-intuitive; I would have expected
>> that when I did "set-policy" and "enforce", it would realize that
>> I did indeed ask for a KSK with a new algorithm, and that an
>> automatic roll-over should be initiated immediately instead of
>> waiting for the normal rotation time previously specified (which
>> in my case is 1 year). State of the keys for the zone now look
>> like this:
>
> Yes it is still waiting for a normal rollover period. Could be
> a number of parameters in the kasp, such as long SOA or DNSKEY
> TTL, publish safety. I'm working on a better insight for the
> date of next transition to show why and when a transition for
> which key is done. But turned out to be more work.
Hm. I nudged my OpenDNSSEC by doing
ods-enforcer key rollover --zone urc.uninett.no --keytype KSK
and what appears to have happened is that it generated a new
ECDSA KSK. However, this was before the existing ECDSA KSK had
entered the "waiting for ds-seen" state.
My supporting scripts trigger on "waiting for ds-seen" or
"waiting for ds-gone" in the "normal" "ods-enforcer key list"
output before taking steps to extract and publish the DS record
in the parent zone, and waiting for all parent zone name servers
returning the DS record before doing "ods-enforcer key ds-seen",
or removing the DS record and confirming via "ods-enforcer key
ds-gone" that none of the name servers for the parent zone
publish the corresponding DS record.
However, so far none of the ECDSA KSKs have reached this state.
The new state is:
ods @ test-signer: {4} ods-enforcer key list -z urc.uninett.no
Keys:
Zone: Keytype: State: Date of next transition:
urc.uninett.no KSK active 2021-04-30 22:36:48
urc.uninett.no ZSK retire 2021-04-30 22:36:48
urc.uninett.no ZSK ready 2021-04-30 22:36:48
urc.uninett.no KSK retire 2021-04-30 22:36:48
urc.uninett.no ZSK ready 2021-04-30 22:36:48
urc.uninett.no KSK publish 2021-04-30 22:36:48
ods @ test-signer: {5} ods-enforcer key list -v -z urc.uninett.no
Keys:
Zone: Keytype: State: Date of next transition: Size: Algorithm: CKA_ID: Repository: KeyTag:
urc.uninett.no KSK active 2021-04-30 22:36:48 2048 8 60c393e7b35db5a0e9cf4a841693858f SoftHSM 46540
urc.uninett.no ZSK retire 2021-04-30 22:36:48 1280 8 1a81c8138fc886c7c84e8ebcd49a386a SoftHSM 9730
urc.uninett.no ZSK ready 2021-04-30 22:36:48 1280 8 4bbb93962f7bce0138c890889bff48b9 SoftHSM 42331
urc.uninett.no KSK retire 2021-04-30 22:36:48 2048 13 1605e5edf3e2c9b022010386419f624a SoftHSM 42582
urc.uninett.no ZSK ready 2021-04-30 22:36:48 1536 13 efd1db8fac425422cc8b5b8ad6837d2b SoftHSM 42185
urc.uninett.no KSK publish 2021-04-30 22:36:48 2048 13 bddba6319af36d263b3c77c4f1a0b069 SoftHSM 2894
ods @ test-signer: {6} ods-enforcer key list -d -z urc.uninett.no
Keys:
Zone: Key role: DS: DNSKEY: RRSIGDNSKEY: RRSIG: Pub: Act: Id:
urc.uninett.no KSK omnipresent omnipresent omnipresent NA 1 1 60c393e7b35db5a0e9cf4a841693858f
urc.uninett.no ZSK NA omnipresent NA unretentive 1 0 1a81c8138fc886c7c84e8ebcd49a386a
urc.uninett.no ZSK NA omnipresent NA rumoured 1 1 4bbb93962f7bce0138c890889bff48b9
urc.uninett.no KSK hidden unretentive unretentive NA 0 0 1605e5edf3e2c9b022010386419f624a
urc.uninett.no ZSK NA rumoured NA rumoured 1 1 efd1db8fac425422cc8b5b8ad6837d2b
urc.uninett.no KSK hidden rumoured rumoured NA 1 1 bddba6319af36d263b3c77c4f1a0b069
ods @ test-signer: {7}
while the old state was:
>> ods @ test-signer: {16} ods-enforcer key list -z urc.uninett.no -v
>> Keys:
>> Zone: Keytype: State: Date of next
>> transition: Size: Algorithm: CKA_ID:
>> Repository: KeyTag:
>> urc.uninett.no KSK active 2021-04-30 17:57:54
>> 2048 8 60c393e7b35db5a0e9cf4a841693858f SoftHSM
>> 46540
>> urc.uninett.no ZSK retire 2021-04-30 17:57:54
>> 1280 8 1a81c8138fc886c7c84e8ebcd49a386a SoftHSM
>> 9730
>> urc.uninett.no ZSK ready 2021-04-30 17:57:54
>> 1280 8 4bbb93962f7bce0138c890889bff48b9 SoftHSM
>> 42331
>> urc.uninett.no KSK publish 2021-04-30 17:57:54
>> 2048 13 1605e5edf3e2c9b022010386419f624a SoftHSM
>> 42582
>> urc.uninett.no ZSK ready 2021-04-30 17:57:54
>> 1536 13 efd1db8fac425422cc8b5b8ad6837d2b SoftHSM
>> 42185
>> ods @ test-signer: {17} ods-enforcer key list -z urc.uninett.no -d
>> Keys:
>> Zone: Key role: DS: DNSKEY:
>> RRSIGDNSKEY: RRSIG: Pub: Act: Id:
>> urc.uninett.no KSK omnipresent omnipresent
>> omnipresent NA 1 1 60c393e7b35db5a0e9cf4a841693858f
>> urc.uninett.no ZSK NA omnipresent
>> NA unretentive 1 0 1a81c8138fc886c7c84e8ebcd49a386a
>> urc.uninett.no ZSK NA omnipresent
>> NA rumoured 1 1 4bbb93962f7bce0138c890889bff48b9
>> urc.uninett.no KSK hidden rumoured
>> rumoured NA 1 1 1605e5edf3e2c9b022010386419f624a
>> urc.uninett.no ZSK NA rumoured
>> NA rumoured 1 1 efd1db8fac425422cc8b5b8ad6837d2b
>> ods @ test-signer: {18} ods-enforcer key list -z urc.uninett.no
>> Keys:
>> Zone: Keytype: State: Date of next transition:
>> urc.uninett.no KSK active 2021-04-30 17:58:55
>> urc.uninett.no ZSK retire 2021-04-30 17:58:55
>> urc.uninett.no ZSK ready 2021-04-30 17:58:55
>> urc.uninett.no KSK publish 2021-04-30 17:58:55
>> urc.uninett.no ZSK ready 2021-04-30 17:58:55
>> ods @ test-signer: {19}
Best regards,
- Håvard
More information about the Opendnssec-user
mailing list